A couple of comments… If the policy=reject and the dmarc is fail, then spamassassin should not see the email because opendmarc would have already rejected it (if not it is due to local policy override, so spamassassin should not change that)
So if you reject on dmarc=fail, this may due to p=quarantine or p=none, which would let the message continue through the pipeline up to spamassassin. In the last case p=none (monitoring) it means the sender does not have all its mail stream under control, so adding some marginal points to the dmarc=fail condition, could be fine, but adding a lot of points, means you are going to block/flag emails from the streams the sender does not have under control (like a third party). The sender may also not want all its mail stream under control... In short if you have installed openDMARC, then you don’t need spamassassin, the work has been done. If you don’t have openDMARC then spamassassin may help you. I think assigning small negative points to dmarc=pass could be better, while remaining neutral for all the rest... As for SENDERDOMAIN this is, in most case. the domain in the From: header… However, there is this concept of alignment against the organizational domain, which requires the heuristic of the public suffix list rules. I would be more interested to know, how you could inject the result of DMARC into the bayesian filtering, and how to meaningfully affect its results. On Jun 3, 2014, at 12:43 AM, Christian Laußat <us...@spamassassin.shambhu.info> wrote: > Hi, > > I'm trying to improve my rules for DMARC policy checking. For now I only use > the Authentication-Results header from the OpenDMARC milter as described here: > https://kvm.laussat.info/2014/05/19/using-dmarc-in-spamassassin/ > > To get ride of this dependency, I looked at > Mail::SpamAssassin::Plugin::AskDNS. > It seems it would be easy to write a DMARC policy check with these rules, > e.g.: > > > askdns __DMARC_POLICY_NONE _dmarc._SENDERDOMAIN_ TXT > /v=DMARC1;.*p=none;/ > askdns __DMARC_POLICY_QUARANTINE _dmarc._SENDERDOMAIN_ TXT > /v=DMARC1;.*p=quarantine;/ > askdns __DMARC_POLICY_REJECT _dmarc._SENDERDOMAIN_ TXT > /v=DMARC1;.*p=reject;/ > meta __DMARC_POLICY_ANY __DMARC_POLICY_NONE || > __DMARC_POLICY_QUARANTINE || __DMARC_POLICY_REJECT > meta DMARC_PASS __DMARC_POLICY_ANY && DKIM_VALID_AU && SPF_PASS > describe DMARC_PASS Message passed DMARC policy check > score DMARC_PASS -0.5 > meta DMARC_FAIL __DMARC_POLICY_ANY && !DMARC_PASS && __DOS_HAS_LIST_ID && > !__DOS_HAS_MAILING_LIST > describe DMARC_FAIL Message failed DMARC policy check > score DMARC_FAIL 1.0 > > > My problem now is how to get the _SENDERDOMAIN_ tag for the AskDNS check? > If the message is DKIM signed I could use _DKIMDOMAIN_, but what if it's not > signed but has a DMARC policy on the domain? > > Any ideas how to do this without writing a plugin? > > -- > Christian Laußat > https://kvm.laussat.info/ >
signature.asc
Description: Message signed with OpenPGP using GPGMail
