diff --git a/node_auth.go b/node_auth.go
index 5ca1a21..d55a096 100644
--- a/node_auth.go
+++ b/node_auth.go
@@ -372,17 +372,11 @@ func (n *nodeAuth) readKeyFile(keyFile string) (ed2519key []byte, b64Key []byte,
 
 // verifySignature
 func (n *nodeAuth) verifySignature(m Message) bool {
-	// fmt.Printf(" * DEBUG: verifySignature, method: %v\n", m.Method)
-	if !n.configuration.EnableSignatureCheck {
-		log.Printf(" * DEBUG: verifySignature: EnableSignatureCheck set to false\n")
-		return true
-	}
-
-	log.Printf(" * DEBUG: verifySignature: EnableSignatureCheck set to true\n")
+	log.Printf(" * DEBUG: verifySignature, method: %v\n", m.Method)
 
 	// NB: Only enable signature checking for REQCliCommand for now.
 	if m.Method != REQCliCommand {
-		// fmt.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n")
+		log.Printf(" * DEBUG: verifySignature: WAS OTHER THAN CLI COMMAND\n")
 		return true
 	}
 
@@ -399,11 +393,7 @@ func (n *nodeAuth) verifySignature(m Message) bool {
 
 // verifyAcl
 func (n *nodeAuth) verifyAcl(m Message) bool {
-	// fmt.Printf(" * DEBUG: verifyAcl, method: %v\n", m.Method)
-	if !n.configuration.EnableAclCheck {
-		log.Printf(" * DEBUG: verifyAcl: EnableAclCheck set to false\n")
-		return true
-	}
+	fmt.Printf(" * DEBUG: verifyAcl, method: %v\n", m.Method)
 
 	// NB: Only enable acl checking for REQCliCommand for now.
 	if m.Method != REQCliCommand {
diff --git a/process.go b/process.go
index 91fd42c..9adf800 100644
--- a/process.go
+++ b/process.go
@@ -523,39 +523,59 @@ func (p process) messageSubscriberHandler(natsConn *nats.Conn, thisNode string,
 		out := []byte{}
 		var err error
 
-		// The verify functions will return true if the signature or acl is correct,
-		// but will return false if the signature or acl is wrong.
-		// They will also return true if the configuration flag for checking the acl
-		// or the signature is set to false.
-		sigOK := p.nodeAuth.verifySignature(message)
-		log.Printf("info: sigOK=%v\n", sigOK)
-		aclOK := p.nodeAuth.verifyAcl(message)
-		log.Printf("info: aclOK=%v\n", aclOK)
+		doHandler := false
 
-		// We should allow to call the handler if either:
-		//  1. signature and acl is OK for when acl verification is enabled.
-		//  2. just signature is OK, if just signature checking is enabled.
-		//  3. Since the verify functions return true if the verification is
-		//     disabled, the handler will be called if both are disabled.
 		switch {
-		case sigOK && aclOK || sigOK:
-			log.Printf("info: subscriberHandler: signature and acl check successful: %v", err)
+
+		// If no checking enabled we should just allow the message.
+		case !p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
+			log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=false, EnableAclCheck=false\n")
+			log.Printf(" * DEBUG: no checking at all is enabled, allow the message\n")
+			doHandler = true
+
+		// If only sig check enabled, and sig OK, we should allow the message.
+		case p.nodeAuth.configuration.EnableSignatureCheck && !p.nodeAuth.configuration.EnableAclCheck:
+			log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=false\n")
+			log.Printf(" * DEBUG: only signature checking enabled, allow the message if sigOK\n")
+
+			sigOK := p.nodeAuth.verifySignature(message)
+			log.Printf("info: sigOK=%v\n", sigOK)
+
+			if sigOK {
+				doHandler = true
+			}
+
+		// If both sig and acl check enabled, and sig and acl OK, we should allow the message.
+		case p.nodeAuth.configuration.EnableSignatureCheck && p.nodeAuth.configuration.EnableAclCheck:
+			log.Printf(" * DEBUG: verify acl/sig: EnableSignatureCheck=true, EnableAclCheck=true\n")
+			log.Printf(" * DEBUG: both signature and acl checking enabled, allow the message if sigOK and aclOK\n")
+
+			sigOK := p.nodeAuth.verifySignature(message)
+			log.Printf("info: sigOK=%v\n", sigOK)
+			aclOK := p.nodeAuth.verifyAcl(message)
+			log.Printf("info: aclOK=%v\n", aclOK)
+
+			if sigOK && aclOK {
+				doHandler = true
+			}
+
+			// none of the verification options matched, we should keep the default value
+			// of doHandler=false, so the handler is not done.
+		default:
+			log.Printf(" * DEBUG: verify acl/sig: None of the verify flags matched, not doing handler for message\n")
+		}
+
+		switch {
+		case doHandler:
+			log.Printf("info: subscriberHandler: doHandler=true: %v\n", doHandler)
 			out, err = mh.handler(p, message, thisNode)
 			if err != nil {
 				er := fmt.Errorf("error: subscriberHandler: handler method failed: %v", err)
 				p.errorKernel.errSend(p, message, er)
 				log.Printf("%v\n", er)
 			}
-		case sigOK && !aclOK:
-			er := fmt.Errorf("error: subscriberHandler: acl check failed: %v", err)
-			p.errorKernel.errSend(p, message, er)
-			log.Printf("%v\n", er)
-		case !sigOK && !aclOK:
-			er := fmt.Errorf("error: subscriberHandler: signature and acl check failed: %v", err)
-			p.errorKernel.errSend(p, message, er)
-			log.Printf("%v\n", er)
-		case !sigOK:
-			er := fmt.Errorf("error: subscriberHandler: signature check failed: %v", err)
+		default:
+			er := fmt.Errorf("error: subscriberHandler: doHandler=false, doing nothing")
 			p.errorKernel.errSend(p, message, er)
 			log.Printf("%v\n", er)
 		}