Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF?
We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report that are passing just DKIM and we would rather that they fail our DMARC because we don't recognize them.
The domains that we do recognize are fully-aligned.
Our end goal is that unless it is fully aligned (both DKIM AND SPF), the message will be rejected
Best Answer
Under the basic assumptions underpinning DMARC, nobody should be able to pass either a DKIM or SPF test as your domain, unless the mail is coming from a server you control. A pass for either of the two is enough to confirm this.
Thus there is no way to force DMARC to require both pass, and there should be no reason to do so.
If third parties are able to pass DKIM tests as you, and you did not authorise them, then you have a security problem, and this is what you need to fix.
First, make sure you haven't just made a mistake interpreting the reports you are seeing. Are they DKIM signed, but with a domain that's not yours? If so, there's nothing you need to do. But if emails not authorised by you are DKIM signed with your domain, this indicates you're doing something wrong.
Steps to take:
Generate a new DKIM key, start signing with it, and remove references to the old key from your DNS records (leaving the old DNS records will allow the old key to continue to be used).
Keep the private part of your DKIM key secure. By default, it should be hidden to all except root on your server. Keep it this way.
Make sure you are not signing mail that is coming in from untrusted sources. You should be only adding DKIM signatures to mail that originates with you and your users.
If using OpenDKIM this is controlled by the InternalHosts option, and you should also make sure that you are not re-running OpenDKIM after passing mail through a local filter or proxy which would make it look like the mail originated internally.