On Tue, 29 Aug 2017 12:27:33 -0400 Alex wrote: > Hi, it appears SANS is using amazon to relay some of their mail, but > does not sign their messages with DKIM. The mail is sent as part of > some corporate training program they're doing, using the domain of the > company contracting with them for the training. > > So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU, > making it difficult to whitelist. It shouldn't need to be whitelisted > in the first place, but my users are demanding it be done. > > More generally, how can I whitelist mail that originates from > something like > 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000...@us-west-2.amazonses.com > and has no DKIM_VALID_AU, making it impossible to whitelist by From > address? >
The definition is: whitelist_from_dkim aut...@example.com [signing-domain] so you can create a dkim-based whitelisting entry. > My concern is using whitelist_from_rcvd with a generic sender like > amazonses doesn't really provide much additional security when it's > effectively a freemail relay. It's probably the same for dkim - possibly amazon has something in place to prevent one customer spoofing another, I don't know. You might want to use def_whitelist_from_dkim instead.
