>Would you please consider adding a feature to do the same for a failed 
DKIM signature?

NO!

Contrary to SPF, a DKIM signature has only two options : OK and FAIL - 
Based on the signature it self or based on a trusted forwarders 
authentication result (ARC).
A DKIM signature has to be valid every time for any of the above reasons.

> I score failed spf and score failed dkim, so DoDMARC is only scoring 
even though p=reject.

What else makes sense?
If SPF is scored and DKIM is scored and DMARC is score - AND the resulting 
score does'nt block the mail at the pealtybox, your settings are wrong!


>If DMARC says p=reject, why shouldn't assp outright honor that, 
regardless of if we have spf / dkim failures set to only score?

SPF has too many options to change/override the original result in assp 
(more or less strict, overwrite, skip ....), some these options also 
exists for DKIM.
If we ignore/change/override ....  sender policies for SPF and DKIM, it is 
not wise to honor the reject DMARC policy strictly.

Thomas




Von:    "K Post" <nntp.p...@gmail.com>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  16.06.2022 19:28
Betreff:        [Assp-test] blockStrictDKIMRe -- also thoughts on DMARC 
rejects



The ability to block failed SPF, instead of just scoring them, for 
delect regex matches has been a terrific feature of ASSP for a long time.  
  (Block SPF Processing Regex* (blockstrictSPFRe) )   Would you please 
consider adding a feature to do the same for a failed DKIM signature?  
Outright blocking of a matching message that fails DKIM, regardless of the 
domain's DMARC settings.   -- maybe that's not necessary if DoDMARC will 
honor =reject, see more below.

Reasoning:
I already score failed DKIM signatures, but I can't set that score too 
high because so many organizations still send messages through 3rd parties 
with invalid DKIM signatures.  It really is incredible how many I see.  
But for frequently abused sender addresses (docusign for example), who are 
often spoofed but send otherwise unspammy content, I want to outright 
block if the DKIM signature fails.  blockStrictSPFRe usually works because 
these bad DKIM sigs are on mails that also violate SPF rules, still though 
it would be helpful if I could also just say "if a specific regex is 
matched on an email with an invalid DKIM, reject the message"

RELATED: DMARC p=reject should always reject if failed
Docusign.net has a dmarc rule of p=reject.  I want to honor that.  The 
last scam that came in from them failed SPF and failed DKIM validation, 
but the message was from a whitelisted address..  DoDMARC says that the 
blocking will be the "most less aggressive" (least aggressive) and the 
published DMARC record.  I score failed spf and score failed dkim, so 
DoDMARC is only scoring even though p=reject.

Enable DMARC Check (DoDMARC)
If enabled and ValidateSPF and DoDKIM are enabled and the sending domain 
has published a DMARC-record/policy, assp will act on the mail according 
to the senders DMARC-policy using the results of the SPF and DKIM check 
and validating the SPF/DKIM address/domain Identifier Alignment rules 
(RFC7489 section 3). It is safe to leave this feature ON, it will not 
produce false positives! The blocking mode (block, monitor, score, 
testmode) is adapted from the most less aggressive setting of ValidateSPF 
and DoDKIM - and the published DMARC record 
([p][sp]=[reject][quarantine]). Scoring is done using dmarcValencePB.
     
If DMARC says p=reject, why shouldn't assp outright honor that, regardless 
of if we have spf / dkim failures set to only score?

Thanks
Ken

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to