Re: Opendkim on-(error) configs for production systems?

From: <>
Date: Tue, 21 Jun 2016 15:59:32 -0700


I understand your principle, kindof, but think I don't understand what


implies. I'd appreciate getting this straightened out. It seems to me that most of my checking is working correctly, but now I wonder if I've cause myself some trouble.

Also I have a question about

> If you'r using DMARC *only* your DMARC instance should reject after

SHOULD we be using DMARC *only*? If you do, and there's for example no DMARC policy published, but SPF/DKIM fails to validate, how do you properly reject in the absence of a DMARC record?

My inbound mail sees checks in the following order



currently, SPF has this policy

        HELO_reject = Fail
        Mail_From_reject = Fail
        No_Mail = False
        PermError_reject = True
        TempError_Defer = False


        # On-Default
        On-BadSignature accept
        On-DNSError tempfail
        On-InternalError tempfail
        On-KeyNotFound accept
        On-NoSignature accept
        On-Security tempfail
        On-SignatureError reject


        SPFIgnoreResults false
        SPFSelfValidate false

I guess the first question is -- should we use DMARC *only*. And the answer helps direct the rest of the config?

I'd be interested in what configuration you run ...

Received on Tue Jun 21 2016 - 22:59:45 PST

This archive was generated by hypermail 2.3.0 : Tue Jun 21 2016 - 23:09:01 PST