Re: Opendkim on-(error) configs for production systems?

From: A. Schulze <>
Date: Wed, 22 Jun 2016 14:26:46 +0200


> Andreas
> I understand your principle, kindof, but think I don't understand what
> On-SignatureError
> implies.
it implies that any message with a invalid DKIM signature will be
rejected by OpenDKIM.

> Also I have a question about
>> If you'r using DMARC *only* your DMARC instance should reject after
> SHOULD we be using DMARC *only*?
no, what I mean is:

configure an SPF checker that add a Received-SPF or
Authentication-Results Header
but not reject any message

configure an DKIM validator that add an Authentication-Results Header
but not reject any message

configure an DMARC checker that consume Authentication-Results header
from trusted sources
(your instances above) and let this instance decide if a message will
be accepted or rejected.

> currently, SPF has this policy
> HELO_reject = Fail
> Mail_From_reject = Fail
> No_Mail = False
> PermError_reject = True
> TempError_Defer = False
configure to not reject any message

> # On-Default
> On-BadSignature accept
> On-DNSError tempfail
> On-InternalError tempfail
> On-KeyNotFound accept
> On-NoSignature accept
> On-Security tempfail
> On-SignatureError reject
configure to not reject any message

> SPFIgnoreResults false
> SPFSelfValidate false

add "ignorehosts /path/to/list_of_host_to_ignore" and finally
"RejectFailures yes"
it your sure to whitelist relevant traffic

we usually only run

                 other content_checker

Notice that OpenDMARC ( latest Version 1.3.1 + a huge number of patches)
could do job of SPF checking. see

Received on Wed Jun 22 2016 - 12:27:07 PST

This archive was generated by hypermail 2.3.0 : Wed Jun 22 2016 - 12:36:01 PST