Need an option to defer mail when opendkim fails to add AR header

[elmaimbo]

While checking my mail logs I uncovered an interesting scenario:

1. An email was received by the mail server (postfix).
2. The mail server invoked the opendkim and opendmarc milters.
3. The opendkim milter issued a DNS request for the domainkey record. For some reason (which I haven't quite got to the bottom of) this DNS request timed out, and so no AR dkim result (i.e. no "Authentication-Results" header containing dkim result) was added.
4. As a result of both SPF having failed (non-aligned) and there being no AR dkim result, opendmarc considered DMARC to have failed, and applied the DMARC policy (in this case quarantine).

It would have been much better if opendmarc had deferred the email (i.e. 4xx response), because then the email could have been retried some time later (and succeeded), rather than ending up in the hold queue and requiring manual intervention.

Can you please consider adding a configuration option to specify that if DMARC fails due to a missing AR dkim result header (signifying a failure of OpenDKIM), that OpenDMARC will defer the mail instead of treating it as having failed DMARC policy?

Thanks,
Nick.

[elmaimbo]

I think that fixing this issue in OpenDKIM would be a better solution, I've raised a bug against OpenDKIM project: trusteddomainproject/OpenDKIM#176