jasonsu:
> Andreas
>
> I understand your principle, kindof, but think I don't understand what
>
> On-SignatureError
>
> implies.
it implies that any message with a invalid DKIM signature will be
rejected by OpenDKIM.
> Also I have a question about
>
>> If you'r using DMARC *only* your DMARC instance should reject after
>
> SHOULD we be using DMARC *only*?
no, what I mean is:
configure an SPF checker that add a Received-SPF or
Authentication-Results Header
but not reject any message
configure an DKIM validator that add an Authentication-Results Header
but not reject any message
configure an DMARC checker that consume Authentication-Results header
from trusted sources
(your instances above) and let this instance decide if a message will
be accepted or rejected.
> currently, SPF has this policy
> HELO_reject = Fail
> Mail_From_reject = Fail
> No_Mail = False
> PermError_reject = True
> TempError_Defer = False
configure to not reject any message
> OPENDKIM has
>
> # On-Default
> On-BadSignature accept
> On-DNSError tempfail
> On-InternalError tempfail
> On-KeyNotFound accept
> On-NoSignature accept
> On-Security tempfail
> On-SignatureError reject
configure to not reject any message
> & OPENDMARC
>
> SPFIgnoreResults false
> SPFSelfValidate false
add "ignorehosts /path/to/list_of_host_to_ignore" and finally
"RejectFailures yes"
it your sure to whitelist relevant traffic
we usually only run
pre-queue
opendkim
opendmarc
other content_checker
Notice that OpenDMARC ( latest Version 1.3.1 + a huge number of patches)
could do job of SPF checking. see
https://andreasschulze.de/dmarc/opendmarc
Andreas
Received on Wed Jun 22 2016 - 12:27:07 PST