I’m a bit mystified why this is the default policy:
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, HTML_MESSAGE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,T_DKIM_INVALID, T_KAM_HTML_FONT_INVALID autolearn=no autolearn_force=no version=3.4.0 X-Spam-Report: * -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) * [22.214.171.124 listed in wl.mailspike.net] * 0.0 T_KAM_HTML_FONT_INVALID BODY: Test for Invalidly Named or Formatted * Colors in HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily * valid * 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid * -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Received: from vps.lawyer-monthly.com (ds-151.ukdns.biz [126.96.36.199]) by mail.example.com (Postfix) with ESMTP id D28FB41980 for <email@example.com>; Fri, 22 Sep 2017 10:07:51 +0100 (BST) Authentication-Results: mail.example.com; dmarc=none header.from=example.net Authentication-Results: mail.example.com; dkim=permerror reason="key not found" header.d=example.net firstname.lastname@example.org header.b=jmhD/l2s; dkim-adsp=none (unprotected policy); dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.net; s=fm; h=content-type:mime-version:date:subject:to:from:message-id; bh=Lryrqw9+MS1hTDwTpRx2yPBUypuYA7GK1jKCi9VWdmo=; b=jmhD/l2sjaOXOn12zgrOk+WTrhIMftb+EYjudyLIypz44gtZeReISzQ+jAUHUDUO5 G0bkeV0Pe6rfDcarBvGAA==
What’s the point of going to the effort of checking DKIM on inbound if you’re not going to do anything with the result? Admittedly, it doesn’t have a DMARC policy to say what to do with it, but I think it would make sense to reject it, or at least give it some bad spam points at the very least.
How can I configure it so that DKIM failures default to rejection if there is no DMARC policy?