Hi,
I'm trying to improve my rules for DMARC policy checking. For now I only
use the Authentication-Results header from the OpenDMARC milter as
described here:
https://kvm.laussat.info/2014/05/19/using-dmarc-in-spamassassin/
To get ride of this dependency, I looked at
Mail::SpamAssassin::Plugin::AskDNS.
It seems it would be easy to write a DMARC policy check with these
rules, e.g.:
askdns __DMARC_POLICY_NONE _dmarc._SENDERDOMAIN_ TXT
/v=DMARC1;.*p=none;/
askdns __DMARC_POLICY_QUARANTINE _dmarc._SENDERDOMAIN_ TXT
/v=DMARC1;.*p=quarantine;/
askdns __DMARC_POLICY_REJECT _dmarc._SENDERDOMAIN_ TXT
/v=DMARC1;.*p=reject;/
meta __DMARC_POLICY_ANY __DMARC_POLICY_NONE ||
__DMARC_POLICY_QUARANTINE || __DMARC_POLICY_REJECT
meta DMARC_PASS __DMARC_POLICY_ANY && DKIM_VALID_AU && SPF_PASS
describe DMARC_PASS Message passed DMARC policy check
score DMARC_PASS -0.5
meta DMARC_FAIL __DMARC_POLICY_ANY && !DMARC_PASS &&
__DOS_HAS_LIST_ID && !__DOS_HAS_MAILING_LIST
describe DMARC_FAIL Message failed DMARC policy check
score DMARC_FAIL 1.0
My problem now is how to get the _SENDERDOMAIN_ tag for the AskDNS
check?
If the message is DKIM signed I could use _DKIMDOMAIN_, but what if it's
not signed but has a DMARC policy on the domain?
Any ideas how to do this without writing a plugin?
--
Christian Laußat
https://kvm.laussat.info/
