On Wed, 10 Jan 2018 21:59:26 -0500 "Kevin A. McGrail" <kmcgr...@pccc.com> wrote:
> On 1/10/2018 9:53 PM, li...@lazygranch.com wrote: > > RTFMing, I see that both opendkim and python-policyd-spf have > > whitelisting capabilities (especially python-policyd-spf). But for > > the most part, my legitimate incoming email passes DKIM or SPF, but > > often not both. What I would like to do is accept email that passes > > either DKIM or SPF, but the milters are not connected in anyway > > that I can see. What I'm trying to avoid is setting up whitelists > > for each domain based on which method of identity the sysop decided > > to implement. > That sounds like a problematic approach to me. > > If an administrator of a domain sets up DNS for SPF records and then > fails, it should fail. > If an administrator of a domain sets up DNS for DKIM records and that > fails, it should fail. > > If an email is failing either, the administrator of the sending > domain fails either, that indicates a problem. Assuming your system > isn't breaking DKIM, the sender really should be notified to resolve > the issue. Whitelisting would really open you up to problems. > > Regards, > KAM I help with a few people I know that set up their own email to pass SPF and DKIM, but realistically no major corporation is going to give a sample of fecal matter to my opinion, presuming I could ever find the person in charge. Google is of the opinion that all you need is DKIM. Seems to me they are correct, but we have to work with whatever the sysop wants to implement. (Google provides SPF for their cloud servers as a means to get the IP space. I see hacking from that space of course, so the list comes in handy for blocking.) Maybe there is a way to check DKIM first, then skip the SPF check. The number of servers that only do SPF but not DKIM is small. I have one contact whose email employs neither SPF or DKIM. That is plus.net. In the spirit of making the world a better place, I will contact them and see how far I get.
