>Thanks for that, I will do that, another thing that comes to my mind: >if my mail server sign every single e-mail with DKIM, that e-mail
>should be signed even if it's redistributed by mailing list daemon >or not? I see my own e-mails here and e-mails of some other people >in this list to be DKIM signed. If this passed DKIM checks, DKIM_VALID, then it should not hit DKIM_VALID_AU in that case. Read up on whitelist_auth related to SPF and DKIM rule hits. >So isn't there a way to get either postfix or SA to reject or flag emails >that are sent specifically "from my domain" but aren't signed with >DKIM? I even think that it's possible to set a DMARC policy to require >emails from a domain to be signed. "From my domain" needs to be defined. I hope you know the difference from the envelope-from and the visible From: header. Most spammers are going to spoof the visible From: header but the envelope-from will be different and can be blocked by good DBLs like Invaluement and regular IP-based RBLs. The envelope- from with your own domain can be blocked normally at the MTA level. Your mail flow for legit senders of your domain should be authenticating to internal or trusted mail servers that are allowed to relay at the MTA level by IP or network before the check of the envelope-from domain is checked. Make sure you know the order of checks performed by your MTA. I don't have any specific protection in place for the dozens of domains that I filter for and we don't have a spoofing problem with all of the MTA checks in place and a fairly well trained Bayes database. >This would block forged e-mails but would not block e-mails from >mailing lists. >Isn't it somehow possible to tell SA to score-up these mails if they >fail this DMARC policy? I have not needed to do any special scoring yet of DMARC failures with the other MTA checks in place. Get your MTA tuned up a bit and see if this solves the problem for you. This could take some research, learning, and time to perfect. If you use Postfix, there have been some recent postings on this mailing list related to senderscore.org and postscreen that will help you get a good head start.
