On Tue, Jun 11, 2024 at 10:18:17AM +0800, Jeff Peng via Postfix-users wrote:
> spf, dmarc have the policy to reject a message.
> My question is, why dkim has no choice for rejecting messages?
> for example, if dkim signature failed, where to instruct this message can be
> rejected?
Per the specification, a DKIM signature that fails to match the message
content MUST be treated the same as absence of DKIM signatures. Also,
absent a DKIM-Signature header, you can't even find the DKIM DNS record,
because the selector is unknown. Any associated policy for a particular
domain is found DMARC, etc. and also covers absence of signatures.
The signature is an end-to-end origin indicator, that is more usable
than the hop-by-hop IP address. There is no email policy in the IP
address either. Don't confuse DKIM with SPF policy, DKIM is analogous
to the IP address, not SPF. SPF is like DMARC, with IP addresses for
identifiers, and only direct single-hop delivery.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
