Idea ID: 2778555

DKIM check for incoming messages

Status: Waiting for Votes

Waiting for Votes

See status update history

DKIM check works now in this way:

DKIM is checked against DNS and then blocked or quarantined with a policy rule. And we have to enter a domain name in the policy to check or decide to check every domain. Which leads to a lot of false-positives.

This method is not how DKIM should work officially.

DKIM checks have to follow the following rule:

DKIM is checked against the public DNS key. If aligned, the mail should initially be accepted.  If not aligned, DMARC must decide what to do. After that the DMARC record in DNS is checked for the policy for that domain. If the policy is none the mail should be accepted, if the policy is 'quarantine' the mail should end up in QMS and if the policy is 'reject' the mail should be dropped.

So please make changes to the DKIM implementation for incoming mails and include DMARC in it. The same should be done for SPF.