Amavis and OpenDMARC
Nick Tait
nick at tait.net.nz
Sun Nov 12 04:03:49 CET 2023
On 12/11/23 15:10, Noel Butler wrote:
>
> DMARC (thus OpenDMARC) makes its decision based on the senders DMARC
> fo policy -
>
> if policy uses fo=0 then yes, both SPF and DKIM must exist, and both
> must pass.
>
> if policy uses fo=1 then no, as a minimum /either/ SPF or DKIM must
> exist, and pass, so DMARC will work with only SPF or only DKIM, it
> will also work with both, which has the advantage that only one of
> these must pass, eg: SPF passes but DKIM fails, DMARC usinng fo=1 will
> pass.
>
> I recommend fo=1 for general use but fo=0 for critical areas, like
> govts, legal and finance sectors, or those who deal with them on a
> very regular basis, in which case they wouldn't be authorised to use
> there govt/corp email for private use so if ill-configured mailing
> lists for example rejected them, then that's acceptable collateral damage.
>
Hi Noel.
My understanding of the "fo" option is that it is only used for
reporting. i.e. It doesn't control whether the received email is
accepted or not, which is always based on /either/ SPF or DKIM checks
passing.
From RFC 7489:
fo: Failure reporting options (plain-text; OPTIONAL; default is "0")
Provides requested options for generation of failure reports.
Report generators MAY choose to adhere to the requested options.
This tag's content MUST be ignored if a "ruf" tag (below) is not
also specified...
Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20231112/3691bcda/attachment.htm>
More information about the amavis-users
mailing list