On 19/03/22 01:46, Jesper Dybdal wrote:
However, opendmarc milter requires those Authentication-Results
headers for SPF and DKIM to be already present. so you need spf/dkim
milter(s) before opendmarc.
I use Amavis to generate and verify DKIM signatures, and
policyd-spf-python to perform SPF checks. That works, but means that
the opendmarc milter must be run by the after-Amavis smtpd.
Just in case you weren't aware: OpenDMARC can perform SPF validation,
and although I don't recall the exact details, I seem to remember there
was a security exploit that could be prevented by getting OpenDMARC to
always do its own SPF validation?
The options that force OpenDMARC to perform SPF are:
SPFIgnoreResults true
SPFSelfValidate true
Also, in case you are thinking that doing the SPF check twice (e.g.
policyd-spf-python and OpenDMARC) will introduce unnecessary delays, it
doesn't. The reason is because the results of the first SPF check DNS
lookups are cached by the DNS Server, so the second SPF check incurs a
negligible delay.
Thanks,
Nick.
