incoming SPF and DKIM checks on RT
in #41016 (closed), I found out that the rt-spam-blocklist hack that @lavamind developed was merrily dropping internal email addresses from traffic. things like frontdesk@torproject.org couldn't send mail anymore.
that has been worked around by moving the header check to the SMTP level, but we shouldn't have allowed those mails in, in the first place. i bet those emails were failing DKIM and SPF checks.
so here implement an inbound mail filter that will check SPF and DKIM before allowing the mail in. i implemented this using OpenDMARC on my home configuration, with relative success, see: