> On 13 Jul 2021, at 3:59 pm, post...@ptld.com wrote:
>
>> FWIW, there is no such thing as "DKIM enforcement", you're probably
>> thinking of DMARC.
>
> Maybe its technically called DMARC, but what im referring to is the opendkim
> verification mode with a On-BadSignature reject policy. My layman's term of
> "DKIM enforcement" is in reference to opendkim enforcing dkim signatures to
> be valid to have mail accepted. Since message forwarding can break signatures
> i wanted to give people the choice to enforce dkim or not without the drama
> of teaching them how to manage sieve scripts. Plus id prefer a rejected
> delivery vs mail being discarded into the void. I will continue to explore
> options.
The DKIM standards are quite emphatically clear that bad signature == no
signature,
and that receiving systems MUST NOT reject a message just because a signature is
missing or fails to match. The treatment of messages that lack a signature is
covered by DMARC (and ARC).
It is a really bad idea to reject messages whose DKIM signature is invalid.
DO NOT DO THIS.
If opendkim supports "On-BadSignature reject", that's a disservice to its
users.
--
Viktor.
