On Wed, 6 Nov 2019 at 17:04, Roberto Carna <[email protected]> wrote: > El mié., 6 nov. 2019 a las 13:48, Dominic Raferd (<[email protected]>) > escribió: >> >> On Wed, 6 Nov 2019 at 16:12, Roberto Carna <[email protected]> wrote: >> > My cooperative mail server is an Exchange which does not implement DKIM at >> > all. >> > But also I have a Postfix mail relay for the "example.com" domain. >> > Is it possible to implement DKIM only in my Postfix server for all the >> > outgoing @example.com mails ??? Or doing this I affect the outgoing mails >> > from my Exchange server because it sends @example.com mails withouth DKIM >> > mechanism ??? >> >> It is possible, but in my opinion pointless. In fact DKIM without >> DMARC is problematic at least, precisely because there are >> organisations which send some emails conforming to one or other >> standard (or both) and others emails which do not, and the recipient >> cannot be confident that non-conformant emails should be rejected - >> the very situation you have in mind. >> >> In theory adding DKIM to some emails should not cause any problems. >> Might some recipient MTAs see that your domain has a DKIM record in >> DNS and then 'downgrade' (treat as spam) or block emails from such >> domain that don't have DKIM? I am not sure how big this risk is, but I >> can't see you gain anything by running it. >> >> Are you sure your Exchange server can't implement DKIM? > > Dear Dominic, thanks for your interesting comments. > I administrate the Postfix mail server, not the Exchange, so I can't do > anything to implement DKIM in the second one. > In my Postfix mail server I've just have SPF implemented for outgoing > mails.....Maybe it's better to add DKIM + DMARC in place of onl DKIM ???
In this case you can implement DMARC and eventually (when confident) use p=reject, which I rate highly for stopping straightforward impersonation of your domain. The only problem is that if a legitimate email from your domain goes through a relay server before it reaches its destination server, the destination server will find that the email fails SPF checking, which results in DMARC fail. The solution is to use DKIM as well (or instead) but of course this could not cover emails originating from your Exchange server. To identify if this will be a problem you could use DMARC with p=none and monitor the results to see if any apparently-legitimate emails are being flagged as failing DMARC. The main problem with DMARC is that some mailing lists (not this one, I believe) mess it up, so I would suggest not to use it with p=quarantine or p=reject on any domain where users are likely to post to mailing lists. One such is (or was) the opendmarc mailing list - something of an own goal.
