I have the following custom rules working pretty well in testing, but
ran into this message with two "Authentication-Results" headers:
Authentication-Results: mx3.webtent.org; dmarc=none (p=none dis=none)
header.from=email.monoprice.com
Authentication-Results: mx3.webtent.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=email.monoprice.com
header.i=@email.monoprice.com header.b=JvTxQQIc
This triggers DMARC_FAIL in my custom rules below, but all I want to
pick up on is 'header.from' failures. What do I need to change the
regular expression to also pick up on header.from in the header? Would I
just add '.*header.form' after =fail?
# DMARC rules
header __DMARC_FAIL Authentication-Results =~ /webtent.org; (dmarc|dkim)=fail /
meta DMARC_FAIL (__DMARC_FAIL && !__DOS_HAS_LIST_ID &&
!__DOS_HAS_MAILING_LIST)
describe DMARC_FAIL DMARC or DKIM authentication failed
score DMARC_FAIL 3.7
meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID)
describe WT_FORGED_SENDER To score high when DMARC fails w/o valid DKIM
score WT_FORGED_SENDER 8.0
header __DMARC_PASS Authentication-Results =~ /webtent.org; (dmarc|dkim)=pass /
meta DMARC_PASS (__DMARC_PASS && !DMARC_FAIL)
describe DMARC_PASS DMARC or DKIM authentication valid
tflags DMARC_PASS nice
score DMARC_PASS -1.1
meta DMARC_NONE (!DMARC_PASS && !DMARC_FAIL)
describe DMARC_NONE No DMARC or DKIM authentication
score DMARC_NONE 0.001
Any suggestions for setting up DMARC custom rules appreciated.
--
Robert
