> Thanks Jeremy, fair enough comment.
>
> For now, I'd like to accept anything - just have the Data about
> whether an incoming email was compliant or not - with the option of
> then moving to become more strict. I guess I'd like to be more like
> gmail - which actually seems to be quite lenient.
>
> I'll then do my best to see if other mail admins can rectify their
> problems (or me - when its my fault).
One thing to be aware of when writing DKIM related rules is that
it's quite possible (and in some environments routine) for legitimate
incoming email to have multiple DKIM signatures, some of which fail to
validate and some of which do validate. One can be unhappy about this,
but places like Microsoft Outlook365 don't care about our feelings.
(We have actually seen this happen on inbound messages from Microsoft
Teams that transited through hosted Office365 email before reaching us;
the Teams DKIM signature was invalid, the hosted O365 DKIM signature was
valid. Since Microsoft Teams falls under the microsoft.com domain and
microsoft.com advertises a strong DMARC policy, this caused a certain
amount of heartburn.)
- cks
