We have developers who like to do things their own way, regardless of advice given. One of these is to send emails with completely bogus sender-addresses
I'd like to get OpenDKIM to reject or drop emails that it can't sign - is this possible?
Jan 4 21:30:25 smtp2 opendkim: 12345: no signing table match for '[email protected]'
Jan 4 21:30:25 smtp2 opendkim: 12345: no signature data
There are no configuration options that seem relevant other than SendReports yes which generates a new email back to the sender while continuing to send the unsigned original.
I've explored Canonicalization but that's unrelated.
Question: Can OpenDKIM stop delivery of an email that it can't sign ?
the only job of the DKIM signer (in your case OpenDKIM) is to sign outgoing emails with the configured signign keys. It is not responsible for transporting the mails, that is the job of your installed mail transport agent (MTA).
If you are using sendmail, sendmail needs to be configured to accept only authenticated connections and reject mails from connections that are not authenticated.