I'd say that a proper solution would be to DKIM-sign mail before it's
spam-scanned.
On 19.04.21 19:39, Simon Wilson wrote:
Good point. If DKIM is signed it should pass DMARC, even if SPF fails.
Amavisd handles both pieces, including DKIM signing... from looking at
the headers it looks like Amavisd is spam scanning it first *then*
DKIM signing it. I will post to the amavisd mailing list on that
question...
DKIM-signing locally submitted mail prior to spam scanning would help us
here (and amavis is supposed to know local domains, unlike SA)
It's not applicable for non-DKIM domains, which still can SPF pass and
therefore DMARC pass.
but, the rule could apparently avoid locally-originated mail
(would help for non-DKIM domains).
meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
__KAM_DMARC_POLICY_REJECT
maybe __LAST_EXTERNAL_RELAY_NO_AUTH ?
Am I reading the rule correctly that EITHER a fail DKIM or SPF will
cause this to trip?
meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
__KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 3.0
...in which case, SPF will *always* fail on an internal email and this
rule will always fail. DMARC can still pass with e.g. an SPF failure
if DKIM passes - why is this an "OR"?
negated or: if either SPF or DKIM passes, the KAM_DMARC_REJECT won't
hit, because it means DMARC pass.
I am not sure how exactly does SPF match:
header SPF_PASS eval:check_for_spf_pass()
I'm not sure SPF should hit for locally submitted e-mail.
however, putting exemption of local mail to KAM_DMARC_REJECT could help us
to accept locally submitted mail.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.
