Re: DMARC policy check with AskDNS posible?

Fri, 06 Jun 2014 01:31:33 -0700 

Am 05.06.2014 21:48, schrieb Franck Martin:

If the policy=reject and the dmarc is fail, then spamassassin should
not see the email because opendmarc would have already rejected it (if
not it is due to local policy override, so spamassassin should not
change that)



In the default configuration OpenDMARC doesn't reject on policy 
failures, it only adds an Authentication-Results header, which I already 
use in SpamAssassin. But I don't think it's a good idea to reject mail 
because of DMARC policy failure, there are too man mailing-list and mail 
forwardings that are not compatible with DMARC requirements.



In the last case p=none (monitoring) it means the sender does not have
all its mail stream under control, so adding some marginal points to
the dmarc=fail condition, could be fine, but adding a lot of points,
means you are going to block/flag emails from the streams the sender
does not have under control (like a third party). The sender may also
not want all its mail stream under control...



You are right, DMARC policy pass should be given some negative spam 
points. But for policy failures your are more flexible using META rules. 
If DMARC policy fails and the mail comes from a mailing list, I wouldn't 
give it any spam points, but when it comes directly, it's probably 
forged and should be given some spam points.



In short if you have installed openDMARC, then you don’t need
spamassassin, the work has been done. If you don’t have openDMARC then
spamassassin may help you.



That's the point, I have a solution when I use OpenDMARC, I can check 
the Authentication-Results header. But I want a solution to be 
independent of OpenDMARC milter.



As for SENDERDOMAIN this is, in most case. the domain in the From:
header… However, there is this concept of alignment against the
organizational domain, which requires the heuristic of the public
suffix list rules.



I know. AskDNS can handle multiple entries in the _SENDERDOMAIN_ tag, 
e.g. sub.example.com,example.com. The only problem would be to give 
sub.example.com a higher priority if both match.



So my problem still is how to get the _SENDERDOMAIN_ tag set without 
writing a plugin. If it's imposible, maybe I'll write a plugin, but I 
want to keep the check as simple as posible.



I would be more interested to know, how you could inject the result of
DMARC into the bayesian filtering, and how to meaningfully affect its
results.



I don't know why you would inject the results into Bayes, DKIM and SPF 
are not used in Bayes either afaik.


The results from using the OpenDMARC Authentication-Results header are:

            %SPAM  %HAM
DMARC_FAIL  21.21   0.85
DMARC_PASS   0.00  39.18

--
Christian Laußat
https://kvm.laussat.info/






















					Reply via email to