On Tue, Jul 13, 2021 at 05:33:35PM -0400, post...@ptld.com wrote:
> > If opendkim supports "On-BadSignature reject", that's a disservice to
> > its users.
>
> So it's unacceptable for dkim software to reject a message for a failed
> dkim signature.
Yes.
> But its okay for dmarc software to reject the message for a failed dkim
> signature?
That's because DMARC (which I don't use or recommed) at least conveys a
sender domain policy that specifies the requested handling of messages
with missing or invalid signatures.
DKIM does not convey any policy, and the correct default policy is
to treat invalid signatures the same way as you would treat missing
signatures.
> At the end of the day, does it matter at which step a rejected message
> was rejected?
Yes, it does. A DKIM signature does not imply any expectation that
all messages will have valid signatures.
> Thank you for informing me on the "specs". I tend to roll my eyes at
> some of the RFC's such as helo MUST be a valid FQDN *AND* no one is
> allowed to reject mail for helo not being FQDN. Then why MUST there be a
> rule that MUST not be enforced?
You can break your system if you wish. For the record, nobody else
should follow your example.
--
Viktor.
