[Rspamd-Users] SPF, DKIM and DMARC policy

[G.W. Haywood]

Hi there,

On Sat, 31 May 2025, Andy Kuhlen via Users wrote:

> ...would like to reject mails where the check shows the following results:
>
> ARC-Authentication-Results: i=2;
> 	axe.mydomain.de;
> 	dkim=none ("invalid DKIM record") header.d=choibaidoithuong.com header.s=zoho header.b=RI8h0T1U;
> 	dmarc=fail reason="No valid SPF" header.from=choibaidoithuong.com (policy=none);
> 	arc=pass ("us.zohomail360.com:s=zohoarc:i=1");
> 	spf=none (axe.mydomain.de: domain of contact at choibaidoithuong.com has no SPF policy when checking 136.143.188.167) smtp.mailfrom=contact at choibaidoithuong.com

Does this help?

https://groups.google.com/g/rspamd/c/oyGbTQpp_pk

> I have set up a reject policy for DMARC in the DNS settings for my
> domain. Now I would also like to set a reject policy for Rspamd.
> Does that make sense?

It does to me. ;)

> How should I handle mails where all checks fail? What is
> reasonable/practicable?

My personal take on it is probably not what a lot of people would call
reasonable.  Around here, anything which fails SPF checks goes in the
bin without further consideration.

> Unfortunately, the documentation of the SPF, DKIM and DMARC modules
> of Rspamd is not very informative in this regard. Does anyone have
> any advice / guidance?

I treat the rspamd documentation as a last resort.  Generally I'll use
a Google-based search to find out what other people have done and then
probably look at the 'official' documentation afterwards - to see if I
can make any sense of it using what I have learned elsewhere.

One of the best resources I've found is

https://groups.google.com/g/rspamd/c/oyGbTQpp_pk

but it's rather dated and by no means complete.

-- 

73,
Ged.