On 07-13-2021 4:14 pm, Viktor Dukhovni wrote:
The DKIM standards are quite emphatically clear that bad signature ==
no signature,
and that receiving systems MUST NOT reject a message just because a
signature is
missing or fails to match. The treatment of messages that lack a
signature is
covered by DMARC (and ARC).
It is a really bad idea to reject messages whose DKIM signature is
invalid.
DO NOT DO THIS.
If opendkim supports "On-BadSignature reject", that's a disservice to
its
users.
So it's unacceptable for dkim software to reject a message for a failed
dkim signature.
But its okay for dmarc software to reject the message for a failed dkim
signature?
At the end of the day, does it matter at which step a rejected message
was rejected?
Thank you for informing me on the "specs". I tend to roll my eyes at
some of the RFC's such as helo MUST be a valid FQDN *AND* no one is
allowed to reject mail for helo not being FQDN. Then why MUST there be a
rule that MUST not be enforced?
But this is why i want to leave the choice with the end user, just as
they could setup sieve to do the same thing, im just trying to make it
more user friendly. Or you going to tell me there is an RFC forbidding
end users from also discarding emails with a failed SPF or DKIM?
