The DKIM standards are quite emphatically clear that bad signature == no
signature,
and that receiving systems MUST NOT reject a message just because a signature is
missing or fails to match. The treatment of messages that lack a signature is
covered by DMARC (and ARC).
It is a really bad idea to reject messages whose DKIM signature is invalid.
DO NOT DO THIS.
Why exactly is it a really bad idea :) ?
Could you give us some more practical details/examples?
It is true that DKIM does not convey a sender domain policy, but that
should not limit or impose decision restriction on the receiving end.
I don't see why should the receiver base its decisions of how to handle
bad signatures on the wishes of the sender domain.
By the way, I don't use DMARC.
In my opinion if a signature is present is should be valid. Always.
Otherwise it loses it's whole purpose.
I wold even go so far as to require DKIM signatures from everybody. But
unfortunately that is not quite possible since there are still many who,
for various reasons, can't provide a DKIM signature at all :) .
If a mail handling software, such as a mailing list one, changes a
message in a way that breaks a signature, it should instead encapsulate
the original message in a completely new message with a valid signature.
If opendkim supports "On-BadSignature reject", that's a disservice to its
users.
Yes, OpenDKIM does support this and I find that to be perfectly fine
since it gives the user an option to decide how to handle this kind of
situations. By default the action is set to "accept" anyway.
Cheers,
K.
