Our cron jobs send emails from e.g. root@ocp23.open-contracting.org, but these cause DMARC failures. Is it worth fixing that? We could, for example, configure Postfix to use an Amazon SES sender instead.

Or, make some DNS changes (in discussion via email).

relaying postfix through SES is a viable option.

But unless there a particular business challenge that prevents adding DMARC and SPF records to ocp24 in DNS, it may have a lower cost implication to update the server's DNS records.

Checking the email deliverability sites, I can see ocp24 has a DMARC record already, but it does not have the "ocp24" subdomain as part of it, fixing that and setting up an SPF record to go with it, is the usual approach to the problem.

Do the following, and update our create_server instructions:

TXT record for the fully qualified domain name of ocp23.open.contracting.org

v=spf1 a:ocp23.open-contracting.org -all

Done, as I saw some more reports in the Postmark DMARC weekly digest.