On 08/29/2017 11:27 AM, Alex wrote:
Hi, it appears SANS is using amazon to relay some of their mail, but
does not sign their messages with DKIM. The mail is sent as part of
some corporate training program they're doing, using the domain of the
company contracting with them for the training.
So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU,
making it difficult to whitelist. It shouldn't need to be whitelisted
in the first place, but my users are demanding it be done.
More generally, how can I whitelist mail that originates from
something like
0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000...@us-west-2.amazonses.com
and has no DKIM_VALID_AU, making it impossible to whitelist by From
address?
My concern is using whitelist_from_rcvd with a generic sender like
amazonses doesn't really provide much additional security when it's
effectively a freemail relay.
Maybe create a unique rule that subtracts points?
From my experience, Amazon's Simple Email Service already has a good
reputation -- not on major RBLs. I have never had problems with spam
from Amazon SES and they seem to do a very good job of handling abuse:
https://aws.amazon.com/blogs/ses/tag/abuse-complaint/
This is my definition of a trusted sender that could be safely
whitelisted with:
whitelist_auth *@amazonses.com
whitelist_auth *@*.amazonses.com
The SPF_PASS will be enough with the SANS domain to work with the
whitelist_auth entries above without DKIM_VALID_AU hits.
--
David Jones
