On 12/02/2021 8:50 am, Bill Cole wrote:
On 11 Feb 2021, at 10:25, Benny Pedersen wrote:
On 2021-02-11 15:12, Bill Cole wrote:
On 11 Feb 2021, at 4:32, Eugene Podshivalov wrote:
Is it safe enough nowadays to drop dmarc failed incoming mail with
opendmarc?
No. It very likely never will be, particularly as long as Sendmail is
in widespread use.
why ?
is it the 8bitmime problem signing 8bitmime content ?, or other
problems ?
reference amavisd how to dkim sign
Sendmail will modify headers after Milter actions. See
confMUST_QUOTE_CHARS in cf/README and the README for dkimpy-milter for
details. If a message is signed without doing a preliminary
Sendmail-like fixup of To and Cc headers, Sendmail may break the
signature.
To me that sounds like a reason not to use Sendmail, rather than a
reason not to apply DMARC policy? ;-)
FWIW I do apply whatever DMARC policy is published for all email I
receive. So if a domain publishes a reject policy (i.e. p=reject), and I
receive an email from that domain that fails DMARC, I reject the email.
(If the reason it failed is because they are using Sendmail and it
mangled the content, then IMHO they probably shouldn't have published a
reject policy in the first place?)
Perhaps the advice should be: If you are using Sendmail, then (a) you
shouldn't publish a DMARC policy and (b) you shouldn't reject emails
based on failed DMARC check; but if you aren't using Sendmail then as
long as you don't mind rejecting emails from misconfigured domains, then
it is fine to apply whatever policy is published by that domain? The way
I see it at least when you reject an email it might give the sender a
clue that they have a DMARC problem? ...That is, except when their email
has been forwarded by a mailing list. :-(
Nick.
