On Tue, Jul 13, 2021 at 03:29:42PM -0400, post...@ptld.com wrote: > > On 07-13-2021 2:47 pm, Matus UHLAR - fantomas wrote: > > btw, as always: what are you trying to achieve? > > The end goal is per-recipient kdim enforcement. Since it's impossible to > control if milter/dkim runs or not based on recipient, my next option to > explore is allowing dkim to run passive to just create the headers, then > during smtpd_*_restrictions based on recipient decide whether or not to > take action on the information in the dkim header to reject or allow the > mail.
FWIW, there is no such thing as "DKIM enforcement", you're probably thinking of DMARC. The sensible thing to do with DMARC is to add an Authentication-Results (https://datatracker.ietf.org/doc/html/rfc7601) header to the message, and then file into the spam folder on delivery for users who want to opt-in into DMARC enforcement. The policy decision is then outside the edge MTA, implemented in the LDA. -- Viktor.