diff --git a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
index 9ca9549..3755986 100644
--- a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@@ -1,30 +1,46 @@
 rules {
-    REJECT_DKIM_SPF {
+    # Reject on missing or invalid DKIM signature.
+    #
+    # We require DKIM signature on incoming mails regardless of DMARC policy.
+    #
+    # - R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
+    # - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+    # - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
+    REJECT_DKIM {
         action = "reject";
-        # Reject if
-        #   - R_DKIM_RJECT: DKIM reject inserted by `dkim` module.
-        #   - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
-        #   - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
-        #
-        #   - SPF failure (R_SPF_FAIL)
-        #   - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
-        #
-        #   - DMARC policy failure (DMARC_POLICY_REJECT)
-        #
-        # Do not reject if:
-        #   - R_DKIM_TEMPFAIL, it is a DNS resolution failure
-        #     and we do not want to lose messages because of faulty network.
-        #
-        #   - R_SPF_SOFTFAIL
-        #   - R_SPF_NEUTRAL
-        #   - R_SPF_DNSFAIL
-        #   - R_SPF_NA
-        #
-        #   - DMARC_DNSFAIL
-        #   - DMARC_NA
-        #   - DMARC_POLICY_SOFTFAIL
-        #   - DMARC_POLICY_QUARANTINE
-        #   - DMARC_BAD_POLICY
-        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA | R_SPF_FAIL | R_SPF_PERMFAIL | DMARC_POLICY_REJECT";
+        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA";
+        message = "Rejected due to missing or invalid DKIM signature";
     }
+
+    # Reject on SPF failure.
+    #
+    # - SPF failure (R_SPF_FAIL)
+    # - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
+    REJECT_SPF {
+        action = "reject";
+        expression = "R_SPF_FAIL | R_SPF_PERMFAIL";
+        message = "Rejected due to failed SPF check";
+    }
+
+    # Reject on DMARC policy check failure.
+    REJECT_DMARC {
+        action = "reject";
+        expression = "DMARC_POLICY_REJECT";
+        message = "Rejected due to DMARC policy";
+    }
+
+    # Do not reject if:
+    # - R_DKIM_TEMPFAIL, it is a DNS resolution failure
+    #   and we do not want to lose messages because of faulty network.
+    #
+    # - R_SPF_SOFTFAIL
+    # - R_SPF_NEUTRAL
+    # - R_SPF_DNSFAIL
+    # - R_SPF_NA
+    #
+    # - DMARC_DNSFAIL
+    # - DMARC_NA
+    # - DMARC_POLICY_SOFTFAIL
+    # - DMARC_POLICY_QUARANTINE
+    # - DMARC_BAD_POLICY
 }