On 2024-07-30 at 05:23:28 UTC-0400 (Tue, 30 Jul 2024 10:23:28 +0100)
Gilgongo via Postfix-users <gilgo...@phreak.co.uk>
is rumored to have said:
I've recently installed and configured openDMARC. I see it marks
perhaps
20-30% of domains as "fail" but I've not set it to reject those yet.
I also see Spamassassin doesn't give particularly high scores for
SPF/DKIM
failures,
That's because both SPF and DKIM failures DO NOT correlate strongly to a
message being spam.
They never have. I expect that they never will.
and Mail::SpamAssassin::Plugin::DMARC (not that it comes as
standard) seems to have quite low scores by default too. So I'm a bit
wary
of false positives if I tell openDMARC to reject.
Whether you reject based on DMARC failure should be determined in large
part by the policy expressed in the DMARC record. If it says "p=reject"
then the domain owner WANTS DMARC failures to be rejected outright. You
do not need to follow that but it is a clear expression of a policy
choice unilaterally predefining DMARC-failed messages as invalid.
I see no reason not to punish them for that choice by giving them what
they want. However, that's a local policy decision that is not
universally acceptable. SpamAssassin is about spam, not about policy
enforcement, so if you want to reject messages solely for DMARC failure,
you have to explicitly configure that yourself.
What do others do with DMARC?
I see it as only useful as the basis for local specific domain-based
trust, e.g. welcomelist_auth (and for the related default welcomelist.)
I'm inclined to just gradually turn up the SA
scores on SPF/DKIM failures instead, if only because
Mail::SpamAssassin::Plugin::DMARC isn't included in SA by default -
and
presumably for a reason.
It is included in v4, because it was built for v4. I'm mildly surprised
that it works at all with v3.x. Take it up with your distro packager if
you think they should become current or just update it yourself. CPAN
can work to do the upgrade if you understand how to install but not not
test as root, however this may not be wise on distros that do
substantial customization of SA. (i.e. Debian-based)
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
