On Fri, Dec 30, 2022 at 11:13:51PM +0000, Polarian wrote:
Hello,
Well it depends, DMARC requires both, but a more strict DMARC will reject all emails which do not pass spf and dkim, furthermore they have strict spf and dkim and must align perfectly.
I believe my issue is my DMARC record has strict spf, and thus, spf keeps failing.
I am going to change it to relaxed and see if I stop being spammed with spf failures, however keep dkim strict.
Emails should always pass both spf and dkim in order to not be spammed, if an email provider allows emails if they only pass spf and fail dkim, then they need to improve their email server.
Thus, I am not too worried about having lists.archlinux.org included on my spf record, because they still can't sign emails with dkim and thus should still be spammed/bounced.
Thanks, Polarian
Hey, I updated my DMARC to more strict one from: _dmarc.kocurkovo.cz. = "v=DMARC1; p=reject; rua=mailto:dmarc+rua@kocurkovo.cz; fo=1" to: _dmarc.kocurkovo.cz. = "v=DMARC1; p=reject; rua=mailto:dmarc+rua@kocurkovo.cz; ruf=mailto:dmarc+ruf@kocurkovo.cz; fo=1; aspf=s; adkim=s; pct=100" other dns entries: kocurkovo.cz. = "v=spf1 mx -all" mail._domainkey.kocurkovo.cz. = "v=DKIM1; k=rsa; p=[...]" DMARC whould be same as yours. Thanks, mdujava