spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From RW <rwmailli...@googlemail.com>
Subject Re: DMARC_REJECT?
Date Fri, 15 Nov 2019 23:35:20 GMT
On Fri, 15 Nov 2019 10:02:48 -0700
Amir Caspi wrote:

> On Nov 15, 2019, at 9:50 AM, David Jones <djones@ena.com> wrote:
> > 
> > If SA is being run post MTA (i.e. inside Thunderbird) then any
> > filtering can change the content to remove potentially bad
> > attachments, add an "EXTERNAL" warning to the Subject or body, etc.
> > which will break DKIM signing.  
> 
> I believe this is what’s happening on my FPs. My mail flow is
> sendmail to MailScanner to SA (spamc) via procmail, and MS will do
> some content altering (e.g. to disable web bugs or reveal potential
> phishing links). That breaks DKIM. I could disable those features but
> that obviates half the point of MS. If I could swap the order of MS
> and SA that would resolve this issue... but I’m not sure if that’s
> possible with my setup. (I know MS can call SA from within its flow
> but it doesn’t use spamc/spamd and I think can not accommodate
> per-user prefs.)
> 
> The other FP I’ve seen is forwarded mail, I’m not sure why DKIM broke
> there because I didn’t see evidence of MS munging. Will have to
> examine more closely.


The rule  is

meta DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT

DKIM_VALID_AU is too strict for DMARC as it requires strict alignment.
OTOH SPF_PASS requires no alignment at all which should eliminate most
FPs on incoming mail - including most forwarded mail. DKIM should only
rarely make a difference on ham. 


Do you have something preventing SPF from working correctly?


It would be useful to include  ALL_TRUSTED in these rules to handle
local and outgoing mail better.

I would also include __RP_MATCHES_RCVD.



Mime
View raw message