Thanks Everyone. Within all of the responses, I will try to reply here. 1. The legit sender will talk about big numbers because of the real things he is involved with so big numbers is still a valid method to score, just not in this case. 2. The SPF record is set to fail on no match, however this does not automatically say, ok it's the approved source everything is ok, let them spam out, SA will still score content, and simply not score for bad SPF. 3. The goal is to say for user j...@company.com, if we can confirm the source is their mail server IP, the lets add some negative value, lets say -2, to allow message that might be scored such as the above #1 because they are legit.
Unless there is something I'm missing, I'm not sure how to better explain it. Yes, I can provide the full headers, but I thought the spam info was enough to provide the SA aspect of the scoring. This is why I thought of the extra rule based on email address and IP combo, almost confirming its legit, to add ot the negative score. On Wed, Dec 21, 2022 at 1:12 PM Bill Cole < sausers-20150...@billmail.scconsult.com> wrote: > On 2022-12-21 at 12:02:27 UTC-0500 (Wed, 21 Dec 2022 18:02:27 +0100) > Matus UHLAR - fantomas <uh...@fantomas.sk> > is rumored to have said: > [...]> > > On 21.12.22 11:19, Henrik K wrote: > >> It will pass welcomelist_auth, since there is SPF_PASS, which you > missed: > >> > >> SPF_PASS -0.001 SPF: sender matches SPF record > > > > I understood KAM_DMARC_STATUS as failing SPF alignment. > > KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict > Alignment > > Note that 'or' is not 'and' in that description. The message in question > had a bad DKIM signature. > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire > -- Thanks! Joey