On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800)
Tom Reed via Postfix-users <t...@dkinbox.com>
is rumored to have said:
Hello list,
Should we reject failed message on DKIM validation stage, or DMARC
validation stage, or both?
Generally, neither.
IF (and ONLY IF) the "From: " header address domain aligns with the
DKIM-signing domain AND that domain also has a DMARC record in DNS which
specifies "p=reject" you may choose to reject a failed message. So,
obviously, you cannot know whether rejection is reasonable before doing
the full DKIM/DMARC analysis.
NOTE WELL: DKIM signatures are notoriously fragile, and are broken by
MTA behaviors which have been commonplace for the lifetime of the
Internet. If you reject messages based on an existing DKIM signature not
verifying, you will reject some entirely legitimate mail for no good
reason.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
