Hi, On Tue, Aug 29, 2017 at 2:24 PM, David Jones <djo...@ena.com> wrote: > On 08/29/2017 11:27 AM, Alex wrote: >> >> Hi, it appears SANS is using amazon to relay some of their mail, but >> does not sign their messages with DKIM. The mail is sent as part of >> some corporate training program they're doing, using the domain of the >> company contracting with them for the training. >> >> So the mail is signed with DKIM_VALID and SPF, but not DKIM_VALID_AU, >> making it difficult to whitelist. It shouldn't need to be whitelisted >> in the first place, but my users are demanding it be done. >> >> More generally, how can I whitelist mail that originates from >> something like >> 0101015e15fd907e-7806-4437-936b-47b4bf2a606b-000...@us-west-2.amazonses.com >> and has no DKIM_VALID_AU, making it impossible to whitelist by From >> address? >> >> My concern is using whitelist_from_rcvd with a generic sender like >> amazonses doesn't really provide much additional security when it's >> effectively a freemail relay. >> >> Maybe create a unique rule that subtracts points? >> > > From my experience, Amazon's Simple Email Service already has a good > reputation -- not on major RBLs. I have never had problems with spam from > Amazon SES and they seem to do a very good job of handling abuse: > > https://aws.amazon.com/blogs/ses/tag/abuse-complaint/ > > This is my definition of a trusted sender that could be safely whitelisted > with: > > whitelist_auth *@amazonses.com > whitelist_auth *@*.amazonses.com > > The SPF_PASS will be enough with the SANS domain to work with the > whitelist_auth entries above without DKIM_VALID_AU hits.
Okay, awesome. I think I misunderstood the purpose of amazonses, and thought it was more accessible to freemailers and spammers than it actually appears to be. In other words, I thought if someone had an amazonses account, they could spoof a sender, and although as unlikely as it is for someone to know it's whitelisted, the possibility exists.
