For OpenDMARC this setting: SPFSelfValidate true
Can it handle the case when incoming message has rewritten envelope address by SRS then no SPF found for header From address? If opendmarc can implement SPF checks for header From address , That would be much better. Thanks > On 2023-05-16 at 08:16:21 UTC-0400 (Tue, 16 May 2023 20:16:21 +0800) > Tom Reed via Postfix-users <t...@dkinbox.com> > is rumored to have said: > >> Hello list, >> >> Should we reject failed message on DKIM validation stage, or DMARC >> validation stage, or both? > > Generally, neither. > > IF (and ONLY IF) the "From: " header address domain aligns with the > DKIM-signing domain AND that domain also has a DMARC record in DNS which > specifies "p=reject" you may choose to reject a failed message. So, > obviously, you cannot know whether rejection is reasonable before doing > the full DKIM/DMARC analysis. > > NOTE WELL: DKIM signatures are notoriously fragile, and are broken by > MTA behaviors which have been commonplace for the lifetime of the > Internet. If you reject messages based on an existing DKIM signature not > verifying, you will reject some entirely legitimate mail for no good > reason. > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org > -- sent from https://dkinbox.com/ _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
