The Authentication-Results
header is provided by many MTAs (such as Postfix with OpenDKIM). When such a header is found, it should be used, instead of the program attempting to use the dkimpy
module to re-verify DKIM.
By default, OpenDKIM only adds Authentication-Results
when the originating domain has a "signs all" policy. Add AlwaysAddARHeader yes
to opendkim.conf
to override this. However, note that Authentication-Results
would NOT be added to mail sent by the MTA to a user on itself, since it'd be signing rather than verifying in its pass through OpenDKIM. In this case, the Authentication-Results
header would be completely missing, rather than some variation of none
or fail
. Is it safe to assert that the email comes from our own server in this situation?