[pfx] Re: DKIM and DMARC

Tue, 16 May 2023 08:35:43 -0700 

On 2023-05-16 at 10:11:39 UTC-0400 (Tue, 16 May 2023 22:11:39 +0800)
Tom Reed via Postfix-users <t...@dkinbox.com>
is rumored to have said:


For OpenDMARC this setting:

SPFSelfValidate true

Can it handle the case when incoming message has rewritten
envelope address by SRS then no SPF found for header From address?
I have no idea what the answer to that is, as I don't use OpenDMARC. You may want to figure out where, if anywhere, OpenDMARC support is available. 


If opendmarc can implement SPF checks for header From address ,
That would be much better.


 Thanks


On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800)
Tom Reed via Postfix-users <t...@dkinbox.com>
is rumored to have said:


Hello list,

Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?


Generally, neither.

IF (and ONLY IF) the "From: " header address domain aligns with the
DKIM-signing domain AND that domain also has a DMARC record in DNS which 
specifies "p=reject"  you may choose to reject a failed message. So,
obviously, you cannot know whether rejection is reasonable before doing 
the full DKIM/DMARC analysis.

NOTE WELL: DKIM signatures are notoriously fragile, and are broken by
MTA behaviors which have been commonplace for the lifetime of the
Internet. If you reject messages based on an existing DKIM signature not 
verifying, you will reject some entirely legitimate mail for no good
reason.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org




--
sent from https://dkinbox.com/

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to