On Mon, 19 Apr 2021 20:40:58 -0400 Bill Cole wrote: > On 19 Apr 2021, at 18:25, RW wrote:
> I suggested exempting messages hitting ALL_TRUSTED from > KAM_DMARC_REJECT. > Matus noted correctly that doing so with external machines in > trusted_networks could result in "problems" i.e. allowing unsigned > (i.e. fake) messages to bypass KAM_DMARC_REJECT because they are > originating on a machine which is trusted not to write bogus Received > headers. Note that a machine in trusted_networks is NOT necessarily > presumed to not originate spam. > I proposed (and have committed to my sandbox) an ALL_INTERNAL rule > which could be used to exempt mail which has originated on internal > networks Anything that enters through through the remote trusted network and hits ALL_TRUSTED will almost certainly pass whatever authentication mechanism are set-up for the domain. The difference between ALL_TRUSTED and ALL_INTERNAL will likely be small. There are minor advantages either way.