If not (DKIM_VALID_AU -OR- SPF_PASS) AND theres a policy for the domain then reject which means an email with assuming a policy exists (1): !DKIM_VALID_AU and !SPF_PASS = if !(0 || 0) & 1 = 1 & 1 = 1 = ACTION (GOOD)ĭKIM_VALID_AU and !SPF_PASS = if !(1 || 0) & 1 = 0 & 1 = 0 = NO ACTION (BAD) This check is invalid, this -OR- logic in the () reads: Hence, I would never use high scores with DKIM/DMARC rules. I don't think there is a good solution, at least not until everyone has implemented DKIM and forwarders stopped messing with headers. But with !HEADER_FROM_DIFFERENT_DOMAINS forwarding could fail both DKIM and SPF/alignment. So maybe use !SPF_FAIL instead.īut in that case, without !HEADER_FROM_DIFFERENT_DOMAINS the rule will hardly get any hits, since nowadays almost no mail fails SPF, including spam. Then even if the sender has set up DMARC, SPF and DKIM correctly your DMARC_X rule will hit. So suppose you receive a forwarded mail (with altered headers such that DKIM breaks) with null SMTP From. DMARC checks additionally that the SMTP From and the From header are aligned, which always fails for forwarded mail.Īnother issue with using SPF_PASS is that it never hits when the SMTP From is null (), which is mandatory for autoreplies and bounces. That's true in case of your version of the rule, since SPF_PASS checks the SMTP From which in case of forwarded mail is chosen by the forwarding server instead of the original sender. But it is somewhat closer to the DMARC specification, if that is what you're after. And it will often break for forwarded emails. The above rule still causes DMARC fails for bounces from servers that haven't configured SPF for their HELO domain. I wouldn't do that, since such alignment is uncommon (at least for autoreplies, maybe less so for bounces) and it will always fail with forwarded emails. I think the DMARC RFC wants you to check alignment between the HELO and the From header in case of a null SMTP From. Then you can use something like: meta DMARC_PASS (DKIM_VALID_AU || SPF_PASS & !HEADER_FROM_DIFFERENT_DOMAINS || SPF_HELO_PASS & _BOUNCE_RPATH_NULL) Return-Path), so Spamassassin can see it. To check for a null SMTP From I think your MTA needs to inject a header (e.g. The SPF rfc requires verifiers to check the HELO in case of a null sender. DMARC defers to the SPF rfc in case of a null MAIL FROM (AKA SMTP From). Otherwise you will probably ban your system or web application mail messages in case you don't sign them.Īctually, after checking the DMARC and SPF rfc's (rfc7489 section-4.1, rfc7208.html section-2.4): it is probably better to check for a null SMTP From in Spamassassin and then use SPF_HELO_PASS instead of SPF_PASS. If you decide to set a similar DNS record in your DMZ view, it is important that you have set your allowed localnets in spamassassin, for example: internal_networks 10.0.0/24 IN TXT course this requires that you already have both SPF and DKIM working as explained before. This is how you may want to set your own DMARC record into your bind zone: _. This means that a DMARC reject (p=reject in the DNS record) will turn into a +5 spam score, DMARC quarantine (p=quarantine) into a +2.5 spam score and a p=none into a +0.1 spam score. Meta DMARC_NONE !(DKIM_VALID_AU || SPF_PASS) & _DMARC_POLICY_NONEĮndif # Mail::SpamAssassin::Plugin::AskDNS Meta DMARC_QUAR !(DKIM_VALID_AU || SPF_PASS) & _DMARC_POLICY_QUAR Meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) & _DMARC_POLICY_REJECT *\bp=quarantine /Īskdns _DMARC_POLICY_REJECT _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1. *\bp=none /Īskdns _DMARC_POLICY_QUAR _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1. Just add the following to your local.cf: ifplugin Mail::SpamAssassin::Plugin::AskDNSĪskdns _DMARC_POLICY_NONE _dmarc._AUTHORDOMAIN_ TXT /^v=DMARC1. You can use Spamassassin to apply a DMARC filter by means of the AskDNS plugin. RFC 4789 Domain-based Message Authentication, Reporting, and Conformance (DMARC).Take a look here for further DMARC solutions for qmail.
The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams and other cyber threat activities. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol.
0 kommentar(er)
