On 12/11/2023 02:02, Dino Edwards wrote:
That's correct, if you're using only opendmarc just the
inet:127.0.0.1:54321 is needed, thats all you need, are you sure it
>is adding sigs on sending? send an email to check-a...@verifier.port25.com wait a minute then check its results email.
If opendmarc requires dkim signature verification before it makes a
decision, I will need something that checks dkim first, right? I did
send an e-mail to the e-mail address you suggested and everything looks
good:
DMARC (thus OpenDMARC) makes its decision based on the senders DMARC fo
policy -
if policy uses fo=0 then yes, both SPF and DKIM must exist, and both
must pass.
if policy uses fo=1 then no, as a minimum _either_ SPF or DKIM must
exist, and pass, so DMARC will work with only SPF or only DKIM, it will
also work with both, which has the advantage that only one of these must
pass, eg: SPF passes but DKIM fails, DMARC usinng fo=1 will pass.
I recommend fo=1 for general use but fo=0 for critical areas, like
govts, legal and finance sectors, or those who deal with them on a very
regular basis, in which case they wouldn't be authorised to use there
govt/corp email for private use so if ill-configured mailing lists for
example rejected them, then that's acceptable collateral damage.
--
Regards,
Noel Butler
This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so.
If you are not the intended recipient, please notify the sender then
delete all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.
