Hello,
I don't think you're in the right forum for these questions, as they
aren't really realted to postfix.
0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid
Is this normal or a point for worry? It did say "not spam".
I'd assume you did not add a milter which checks DKIM. I have OpenDKIM
setup to add the DKIM checks and Spamassasin checks these. I'm not sure if
Spamassassin is able to do the necessary checks itself.
But if you have DKIM_INVALID for valid messages then something is not
working.
2(a) I get lots of dmarc reports. After looking at a few, I started
pushing them to a special dmarc mailbox where I don't have to see
them. Is there any sense in which these are actionable ? Should I
occasionally look at them or set a machine to look at them? Are there
any easy ways to look at them, say a mutt viewer? (Detach, ungzip,
and dmarc-cat doesn't scale.) Or automated tools?
If you operate multiple machines and systems sending mail these reports
are helpful to find missing or incomplete setup. Then check them from time
to time to find issues.
Otherwise, when you have simpler setup, these reports only allow you to
see how your domain gets misused. As you can't do anything against this it
makes no sense to get the reports. In this case remove them as soon as you
are sure your setup works.
If you have reports enabled then please ensure that you accept
report emails! My server sends such reports and my auto-generated list of
domains which I no longer send reports to already has more than 5000
entries.
2(b) Is there any general guidance for whether to set the policy to
nothing, spam, or reject?
I personally think DKIM as an optional authentication system, so my
domains leave decision to the target domains and I also don't follow DMARC
suggestion, but only add to the SpamAssassin score for invalid DKIM.
3. I'm finding that occasionally sites will stop delivering our mail.
Sometimes they explain it (hotmail refusing to accept) and one can
flag it. Other times (OVH recently) someone just stops seeing my
mail at all. Some sites claim that ISPs block entire /24's, which
strikes me as oddly indiscriminant post-1990 or so. Is this all
normal?
If operating a mail server you will have to white-list your server with a
bunch of major players via their own interfaces. They simply block large
networks instead of individual IPs. That's a sad situation, but it's
normal.
If your server appears in one of the RBL lists, then you should fix the
issue causing this.
Ciao
--
https://www.dstoecker.eu/ (PGP key available)
