On Sat, 24 Apr 2021 13:32:09 +0200 Matus UHLAR - fantomas wrote: addresses. > > I still think that DMARC check should be done on edge of internal > network, not anywhere behind it.
It's not about that, it's about whether or not you apply it to <Authenticated-client> -> <trusted third-party mail system> -> <MX server in internal networks> "&& !ALL_INTERNAL" does allow the slightly unreliable DMARC fail test to run on that mail and "&& !ALL_TRUSTED" doesn't. IMO the former wont catch much extra spam because the point of spamming that way is to pick-up DKIM and SPF passes. So it's mostly extra risk.
