diff --git a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
index a5be7511..9ca9549e 100644
--- a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@@ -2,10 +2,29 @@ rules {
     REJECT_DKIM_SPF {
         action = "reject";
         # Reject if
-        #   bad DKIM signature (R_DKIM_REJECT)
-        #   no DKIM signature (R_DKIM_NA)
-        #   SPF failure (R_SPF_FAIL)
-        #   DMARC policy failure (DMARC_POLICY_REJECT)
-        expression = "R_DKIM_REJECT | R_DKIM_NA | R_SPF_FAIL | DMARC_POLICY_REJECT";
+        #   - R_DKIM_RJECT: DKIM reject inserted by `dkim` module.
+        #   - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+        #   - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
+        #
+        #   - SPF failure (R_SPF_FAIL)
+        #   - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
+        #
+        #   - DMARC policy failure (DMARC_POLICY_REJECT)
+        #
+        # Do not reject if:
+        #   - R_DKIM_TEMPFAIL, it is a DNS resolution failure
+        #     and we do not want to lose messages because of faulty network.
+        #
+        #   - R_SPF_SOFTFAIL
+        #   - R_SPF_NEUTRAL
+        #   - R_SPF_DNSFAIL
+        #   - R_SPF_NA
+        #
+        #   - DMARC_DNSFAIL
+        #   - DMARC_NA
+        #   - DMARC_POLICY_SOFTFAIL
+        #   - DMARC_POLICY_QUARANTINE
+        #   - DMARC_BAD_POLICY
+        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA | R_SPF_FAIL | R_SPF_PERMFAIL | DMARC_POLICY_REJECT";
     }
 }