if policy uses fo=0  then yes, both SPF and DKIM must exist, and both must pass.

if policy uses fo=1  then no, as a minimum /either/ SPF or DKIM must exist, and pass, so DMARC will work with only SPF or only DKIM, it will also work with both, which has the advantage that only one of these must pass, eg: SPF passes but DKIM fails, DMARC usinng fo=1 will pass.

I recommend fo=1 for general use but fo=0 for critical areas, like govts, legal and finance sectors, or those who deal with them on a very regular basis, in which case they wouldn't be authorised to use there govt/corp email for private use so if ill-configured mailing lists for example rejected them, then that's acceptable collateral damage.

[...]
My understanding of the "fo" option is that it is only used for reporting. i.e. It doesn't control whether the received email is accepted or not, which is always based on /either/ SPF or DKIM checks passing.
[...]
Ahhh you're right, my very bad, I was confusing r/s ...

Would the above finetuning of (DKIM || SPF) vs. (DKIM && SPF) have been achieved in some early draft version? I cannot place "r/s" in any other context than relaxed vs. strict alignment.

Reply via email to