Hi, >>>So is there any way to make SA perform at least a relaxed DKIM >>>alignment check on the headers so that the DKIM signature domain has >>>to belong to the 'From:' address? > >>every domain using yahoo mail servers would have to delegate DKIM to >>yahoo and yahoo would need to sign under all those domains. >>the same applies about any domain that does DKIM signing (e.g. gmail) > > Interestingly, _dmarc.yahoo.com TXT record has "p=reject" which would > have caused a DMARC fail with a bounce. Looks like this spammer noticed > that yahoo.co.jp does not have a DMARC record which allowed them to > send this spam even to recipients with DMARC checks enabled and honoring > "p=reject" like my mails filters do.
I'm just adding 1.5 points when DMARC tests fail and the policy is to reject. Is it safe to block them completely? And why aren't DMARC tests part of the stock SA yet? >>that is in fact change in requirements on DKIM itself... > > I bet as we see DMARC gain traction like SPF has this will force these > major mail hosting providers like Yahoo to shape up. Right now they are > so big that we can't make them act responsibly. Yahoo should start rejecting > email that is sent through them like this to prevent spammers abusing them. > > Google is slowly turning up the heat with DMARC which forces the Internet > to implement it. I know this is a pain but I went through this pain a few > years > ago and now I am glad to see Google using their influence for good. In a few > more years all of our spam filtering will be better because of this. What does this mean for forwarded mail? I see there's already an exception for mailing list mail in the SA rules. We have a mail system with a few hundred users, virtually all of which forward their mail through to gmail or another freemail account. It has an entry in the top-level SPF record, but it rejects lots of mail from external senders due to the originating sender's SPF policy.
