On 12/11/23 15:10, Noel Butler wrote:
DMARC (thus OpenDMARC) makes its decision based on the senders DMARC
fo policy -
if policy uses fo=0 then yes, both SPF and DKIM must exist, and
both must pass.
if policy uses fo=1 then no, as a minimum /either/ SPF or DKIM must
exist, and pass, so DMARC will work with only SPF or only DKIM, it
will also work with both, which has the advantage that only one of
these must pass, eg: SPF passes but DKIM fails, DMARC usinng fo=1
will pass.
I recommend fo=1 for general use but fo=0 for critical areas, like
govts, legal and finance sectors, or those who deal with them on a
very regular basis, in which case they wouldn't be authorised to use
there govt/corp email for private use so if ill-configured mailing
lists for example rejected them, then that's acceptable collateral
damage.
On 12.11.23 16:03, Nick Tait wrote:
My understanding of the "fo" option is that it is only used for
reporting. i.e. It doesn't control whether the received email is
accepted or not, which is always based on /either/ SPF or DKIM checks
passing.
From RFC 7489:
fo: Failure reporting options (plain-text; OPTIONAL; default is "0")
Provides requested options for generation of failure reports.
Report generators MAY choose to adhere to the requested options.
This tag's content MUST be ignored if a "ruf" tag (below) is not
also specified...
Looking at it, fo=0 should generate dmarc report for each individual mail
forwarded, either through mailing list or via other ways.
If there is anything hostile to mailing lists in DMARC specification, it's
this.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
