DMARC handling option for SMTP

[EKjellquist]

Support,

I'm wondering if we can potentially have some tweaks for allowing through senders with, let's say 'incomplete' DKIM / DMARC setups. We've been getting a fair number of legit mail that does have good SPF records, but either questionable or improperly-done DKIM/DMARC and getting failures.

a basic DMARC record is usually something like:

v=DMARC1; p=quarantine; rua=mailto:dmarc@domain.com

Receiving mail servers should essentially quarantine any incoming email that fails DMARC alignment from this domain. In strict modes, you can force both SPF and DKIM to pass, or in relaxed modes, at least one or the other needs to pass. We have a number of contacts who don't have a tech person or are otherwise using generated records via Microsoft 365, GMail ,etc. and don't necessarily have the facilities to troubleshoot it.

For AMS, I guess what I'm asking is for some DMARC handling options for incoming mail via SMTP; a number of these sending domains either have no DMARC record or it doesn't have a rule to quarantine or reject. I'd like to have, say, a control or two in the DKIM area in Spam Filtering to handle stuff like this, rather than needing to whitelist as much.

One option could be a checkbox for incoming mail that doesn't have a DMARC policy specified (either nonexistent or no policy value of 'q' or 'r') to have AMS either PASS or Quarantine if at least one of the two checks is a Pass between SPF and DKIM.

Also, I get a good number of incoming DKIM failures for [Invalid Signature] but these mails are blocked, so i can't tell what key / signature was used at email time (could be issues due to DNS propagation, email checksum changing post-send, etc). Not sure of the best way to provide more detail here, but could there potentially be an additional log we could turn in in logging, say, for DKIM specifically to have the debug-level detail? Just a thought.

Somewhat frequently I run into these errors from known good senders (who likely have some technical issue on their end, their DNS records were in flux temporarily or our server couldn't reach them to verify in that moment), it would be good to have more technical info to be able to help them troubleshoot it.