Amavis and OpenDMARC
Damian
amavis at arcsin.de
Sun Nov 12 09:50:32 CET 2023
>>> if policy uses fo=0 then yes, both SPF and DKIM must exist, and both must pass.
>>>
>>> if policy uses fo=1 then no, as a minimum /either/ SPF or DKIM must exist, and pass, so DMARC will work with only SPF or only
>>> DKIM, it will also work with both, which has the advantage that only one of these must pass, eg: SPF passes but DKIM fails,
>>> DMARC usinng fo=1 will pass.
>>>
>>> I recommend fo=1 for general use but fo=0 for critical areas, like govts, legal and finance sectors, or those who deal with
>>> them on a very regular basis, in which case they wouldn't be authorised to use there govt/corp email for private use so if
>>> ill-configured mailing lists for example rejected them, then that's acceptable collateral damage.
>>>
>> [...]
>> My understanding of the "fo" option is that it is only used for reporting. i.e. It doesn't control whether the received email is
>> accepted or not, which is always based on /either/ SPF or DKIM checks passing.
>> [...]
> Ahhh you're right, my very bad, I was confusing r/s ...
Would the above finetuning of (DKIM || SPF) vs. (DKIM && SPF) have been achieved in some early draft version? I cannot place "r/s"
in any other context than relaxed vs. strict alignment.
More information about the amavis-users
mailing list