On May 16, 2023 12:16:21 PM UTC, Tom Reed via Postfix-users
<postfix-users@postfix.org> wrote:
>Hello list,
>
>Should we reject failed message on DKIM validation stage, or DMARC
>validation stage, or both?
No and it depends.
DKIM has no policy mechanism associated with it, so there's no basis in any
standardized mechanism to determine if a DKIM failure should be cause for
rejection. I don't think it makes logical sense to treat a message with a DKIM
signature that failed to verify any more harshly than you would unsigned mail.
DMARC does have such a policy component. Rejecting mail which fails DMARC for
domains that have a policy of p=reject is common. DMARC does have a high error
rate for some types of email, so I would recommend a careful evaluation of what
you would be rejecting before you do so.
Scott K
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org