Hi, On Sat, Jul 29, 2017 at 7:27 PM, David Jones <djo...@ena.com> wrote: > On 07/29/2017 04:33 PM, Alex wrote: >> >> I have a number of domains that I'm trying to whitelist. They hit >> DKIM_VALID and SPF_PASS but all don't hit DKIM_VALID_AU. First, why >> would they hit DKIM_VALID and not DKIM_VALID_AU? >> > > DKIM_VALID simply means the DKIM signature is a correctly signed message. > > DKIM_VALID_AU means it was correctly signed by the author's domain. These > are ones that will work with whitelist_auth entries.
Okay, so all DKIM_VALID_AU messages are also DKIM_VALID, correct? Just to be clear, this occurs when rsgsv.net signs the message (DKIM_VALID) and the domain using that server also signs the message (DKIM_VALID_AU), correct? >> From >> bounce-mc.us1_1211649.1262601-kelly.boschen=example....@mail93.suw13.rsgsv.net >> Sat Jul 29 14:23:05 2017 >> From: =?utf-8?Q?Lifehacker=20Newsletter?= <newslet...@lifehacker.com> >> >> What is mail93.suw13.rsgsv.net? Can we be assured that's the host >> designated to this sender? And of course I'm assuming there's the >> potential they could reuse that host for another customer at some >> point in the future. Would whitelist_auth *@mail93.suw13.rsgsv.net >> whitelist only mail from lifehacker? >> >> Or would I have to use whitelist_from_rcvd? > > I have this in my platform: > > whitelist_from_rcvd *@*.rsgsv.net rsgsv.net > > This is related to MailChimp and they are trustworthy senders with valid > opt-out processing. This assumes rsgsv.net is also the system relaying their mail, or is that always the case as the envelope sender? >> Another example: >> From deerpark+caf_=44451=example....@gmail.com Sat Jul 29 09:43:33 2017 >> From: "Office Depot" <rewa...@e.officedepot.com> >> >> In this case I can't use whitelist_auth *@gmail.com, but using >> whitelist_from_rcvd and gmail.com is not a good idea either. I'm also >> curious what Google service Office Depot is using to route their mail? >> Is it just GMail for Business or something? >> > > This was sent to a gmail.com recipient then forwarded to a domain that you > filter for. See http://www.openspf.org/SRS Ah, I see that: X-Forwarded-To: 44...@example.com X-Forwarded-For: deerp...@gmail.com 44...@example.com It was also dkim-signed by gmail. So that means the deerp...@gmail.com user configured their account to rewrite as the 44...@example.com (our domain) user, sent through gmail? >> My third example: >> From >> 0101015d8f37100b-117c2da7-b060-4247-a511-6e473d6822c2-000...@us-west-2.amazonses.com >> Sat Jul 29 12:39:02 2017 >> From: Southwest Airlines <surv...@southwest.magid.com> >> >> This also passed DKIM_VALID_AU and SPF_PASS. How do you whitelist mail >> that is routed through amazon? > > If this sender has a valid opt-out I would add: > > whitelist_auth *@*.magid.com But whitelist_auth operates on the envelope sender, not the "From:" address. Using whitelist_from_rcvd is a problem because I can't imagine using amazonses.com as the second argument would ever be a good idea. >> I realize I could probably get away without whitelisting all of these >> and never have a problem. These are just examples (and to better >> understand). I'd also like to be able to increase scores of other >> rules affecting these emails and not have to worry about them becoming >> false-positives. > > I shortcircuit WHITELIST and BLACKLIST rules so they score very low and high > respectively. If the whitelist score is -100, is shortcircuiting really necessary to ensure it's not tagged by other rules, or is there another reason?
