I have done a little more checking. And I’ve decided to enable rejects in the opendmarc.conf file. I appreciate that this will change the next time Mail-In-A-Box is updated. But I want to try it out.
I have a yahoo.co.uk email address and I set up forwarding from a Virginmedia.com address to one of my own personal domain addresses.
I then sent a mail from Yahoo to Virgin Media and the copy arrived in my inbox with a DMARC pass due to the DKIM still being correct.
I did then send a mail manually through smtp.blueyonder.co.uk with a From: address and mail from: address of my yahoo.co.uk address. With the reject policy enabled the mail was bounced as per yahoo’s DMARC policy.
The real research that needs doing though is just how many domains currently have DKIM enabled. I know some think of it as a waste of time. Certainly if they ONLY use SPF and DMARC together, they’re in for a world of hurt.
From what I can see, For anti spoofing to work properly.
Messages Must be DKIM signed by the authors domain.
SPF needs to be set to catch spoofed messages from third party servers as these are not likely to be DKIM signed, so the DKIM check would be neutral.
Tim