On May 16, 2023 1:20:53 PM UTC, Ralf Hildebrandt via Postfix-users
<postfix-users@postfix.org> wrote:
>* Scott Kitterman via Postfix-users <postfix-users@postfix.org>:
>
>> DKIM has no policy mechanism associated with it, so there's no basis in any
>> standardized mechanism to determine if a DKIM failure should be cause for
>> rejection. I don't think it makes logical sense to treat a message with a
>> DKIM signature that failed to verify any more harshly than you would
>> unsigned mail.
>>
>> DMARC does have such a policy component. Rejecting mail which fails DMARC
>> for domains that have a policy of p=reject is common. DMARC does have a
>> high error rate for some types of email, so I would recommend a careful
>> evaluation of what you would be rejecting before you do so.
>
>I always thought DMARC was the policy component for DKIM.
Sort of. DMARC is it's own protocol that is built on top of the email
authentication information provided by DKIM and SPF. It uses both in ways that
are somewhat different than what they were designed for, but more or less works
(the less part leads to the failure cases).
To the extent there is a policy component for DKIM, DMARC is it, but they are
each their own thing. This is different than DomainKeys, which had policy
built in.
Scott K
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
