spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Franck Martin <fmar...@linkedin.com>
Subject Re: DMARC policy check with AskDNS posible?
Date Thu, 05 Jun 2014 19:48:53 GMT
A couple of comments…

If the policy=reject and the dmarc is fail, then spamassassin should not see the email because
opendmarc would have already rejected it (if not it is due to local policy override, so spamassassin
should not change that) 

So if you reject on dmarc=fail, this may due to p=quarantine or p=none, which would let the
message continue through the pipeline up to spamassassin.

In the last case p=none (monitoring) it means the sender does not have all its mail stream
under control, so adding some marginal points to the dmarc=fail condition, could be fine,
but adding a lot of points, means you are going to block/flag emails from the streams the
sender does not have under control (like a third party). The sender may also not want all
its mail stream under control...

In short if you have installed openDMARC, then you don’t need spamassassin, the work has
been done. If you don’t have openDMARC then spamassassin may help you.

I think assigning small negative points to dmarc=pass could be better, while remaining neutral
for all the rest...

As for SENDERDOMAIN this is, in most case. the domain in the From: header… However, there
is this concept of alignment against the organizational domain, which requires the heuristic
of the public suffix list rules.

I would be more interested to know, how you could inject the result of DMARC into the bayesian
filtering, and how to meaningfully affect its results.

On Jun 3, 2014, at 12:43 AM, Christian Laußat <users@spamassassin.shambhu.info> wrote:

> Hi,
> 
> I'm trying to improve my rules for DMARC policy checking. For now I only use the Authentication-Results
header from the OpenDMARC milter as described here:
> https://kvm.laussat.info/2014/05/19/using-dmarc-in-spamassassin/
> 
> To get ride of this dependency, I looked at Mail::SpamAssassin::Plugin::AskDNS.
> It seems it would be easy to write a DMARC policy check with these rules, e.g.:
> 
> 
> askdns   __DMARC_POLICY_NONE       _dmarc._SENDERDOMAIN_ TXT /v=DMARC1;.*p=none;/
> askdns   __DMARC_POLICY_QUARANTINE _dmarc._SENDERDOMAIN_ TXT /v=DMARC1;.*p=quarantine;/
> askdns   __DMARC_POLICY_REJECT     _dmarc._SENDERDOMAIN_ TXT /v=DMARC1;.*p=reject;/
> meta     __DMARC_POLICY_ANY        __DMARC_POLICY_NONE || __DMARC_POLICY_QUARANTINE ||
__DMARC_POLICY_REJECT
> meta     DMARC_PASS __DMARC_POLICY_ANY && DKIM_VALID_AU && SPF_PASS
> describe DMARC_PASS Message passed DMARC policy check
> score    DMARC_PASS -0.5
> meta     DMARC_FAIL __DMARC_POLICY_ANY && !DMARC_PASS && __DOS_HAS_LIST_ID
&& !__DOS_HAS_MAILING_LIST
> describe DMARC_FAIL Message failed DMARC policy check
> score    DMARC_FAIL 1.0
> 
> 
> My problem now is how to get the _SENDERDOMAIN_ tag for the AskDNS check?
> If the message is DKIM signed I could use _DKIMDOMAIN_, but what if it's not signed but
has a DMARC policy on the domain?
> 
> Any ideas how to do this without writing a plugin?
> 
> -- 
> Christian Laußat
> https://kvm.laussat.info/
> 


Mime
View raw message