On Fri, 5 May 2017 19:56:27 +0000 David Jones wrote:
> >Alignment of the two from address is needed in DMARC so that SPF can > >match on the same domain that the MUA displays (if it even does). It > >doesn't do anything for DKIM. > > Did you read that returnpath.com link above about DMARC passing if > SPF or DKIM passes and are aligned? They know what they are doing > and I have seen this to be true in my own inbound mail based on > OpenDMARC headers. I don't doubt that *they* know what they are doing. That article gives reasons to have both on outgoing mail, but has no argument at all in favour of requiring both to verify incoming mail. > >I don't seen why anyone one would want a form of whitelisting where a > >DKIM pass on a trusted domain would be ignored if there's no SPF > >pass. > > Correct. I don't know why you write "correct" and then go on to write something contrary. >This is why I only add envelope-from domains to my > whitelist_auth list that is currently 2,595 entries. That's not a good idea. When you don't feel you can just put a "header from" domain into whitelist_auth, you should use one or both of whitelist_from_dkim and whitelist_from_spf instead.
