K.I.S.S. Because of forwarding, both SPF or DKIM signatures *could* be broken. This is what DMARC was introduced for. DMARC checks the results of both SPF and DKIM, and as long as one of those two passes then the mail is good so DMARC passes. If both SPF and DKIM fail, then DMARC fails, and *THEN* you reject the mail (policy permitting).
So no, imo, you should not blindly reject based on the outcome of DKIM. Now, because not everyone understands or knows how all three SPF DKIM and DMARC play together and doesn't set all three up on their mail server... If you have the ability to fine tune your policy, one step further would be to reject on a DKIM fail *ONLY* if there is no DMARC and no SPF setup. And vise versa for SPF, if they are only using SPF and have no DKIM or DMARC then reject on a failed SPF. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
