Amavis and OpenDMARC

[Matus UHLAR - fantomas]

>On 12/11/23 15:10, Noel Butler wrote:
>>DMARC (thus OpenDMARC) makes its decision based on the senders DMARC 
>>fo policy -
>>
>>if policy uses fo=0  then yes, both SPF and DKIM must exist, and 
>>both must pass.
>>
>>if policy uses fo=1  then no, as a minimum /either/ SPF or DKIM must 
>>exist, and pass, so DMARC will work with only SPF or only DKIM, it 
>>will also work with both, which has the advantage that only one of 
>>these must pass, eg: SPF passes but DKIM fails, DMARC usinng fo=1 
>>will pass.
>>
>>I recommend fo=1 for general use but fo=0 for critical areas, like 
>>govts, legal and finance sectors, or those who deal with them on a 
>>very regular basis, in which case they wouldn't be authorised to use 
>>there govt/corp email for private use so if ill-configured mailing 
>>lists for example rejected them, then that's acceptable collateral 
>>damage.

On 12.11.23 16:03, Nick Tait wrote:
>My understanding of the "fo" option is that it is only used for 
>reporting. i.e. It doesn't control whether the received email is 
>accepted or not, which is always based on /either/ SPF or DKIM checks 
>passing.
>
>From RFC 7489:
>
>   fo:  Failure reporting options (plain-text; OPTIONAL; default is "0")
>      Provides requested options for generation of failure reports.
>      Report generators MAY choose to adhere to the requested options.
>      This tag's content MUST be ignored if a "ruf" tag (below) is not
>      also specified...

Looking at it, fo=0 should generate dmarc report for each individual mail 
forwarded, either through mailing list or via other ways.

If there is anything hostile to mailing lists in DMARC specification, it's 
this.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.