The ability to block failed SPF, instead of just scoring them, for delect regex matches has been a terrific feature of ASSP for a long time. (Block SPF Processing Regex* (blockstrictSPFRe) ) *Would you please consider adding a feature to do the same for a failed DKIM signature?* Outright blocking of a matching message that fails DKIM, regardless of the domain's DMARC settings. -- maybe that's not necessary if DoDMARC will honor =reject, see more below.
Reasoning: I already score failed DKIM signatures, but I can't set that score too high because so many organizations still send messages through 3rd parties with invalid DKIM signatures. It really is incredible how many I see. But for frequently abused sender addresses (docusign for example), who are often spoofed but send otherwise unspammy content, I want to outright block if the DKIM signature fails. blockStrictSPFRe usually works because these bad DKIM sigs are on mails that also violate SPF rules, still though it would be helpful if I could also just say "if a specific regex is matched on an email with an invalid DKIM, reject the message" RELATED: DMARC p=reject should always reject if failed Docusign.net has a dmarc rule of p=reject. I want to honor that. The last scam that came in from them failed SPF and failed DKIM validation, but the message was from a whitelisted address.. DoDMARC says that the blocking will be the "most less aggressive" (least aggressive) and the published DMARC record. I score failed spf and score failed dkim, so DoDMARC is only scoring even though p=reject. Enable DMARC Check (DoDMARC) If enabled and ValidateSPF and DoDKIM are enabled and the sending domain has published a DMARC-record/policy, assp will act on the mail according to the senders DMARC-policy using the results of the SPF and DKIM check and validating the SPF/DKIM address/domain Identifier Alignment rules (RFC7489 section 3). It is safe to leave this feature ON, it will not produce false positives! The blocking mode (block, monitor, score, testmode) is adapted from the most less aggressive setting of ValidateSPF and DoDKIM - and the published DMARC record ([p][sp]=[reject][quarantine]). Scoring is done using dmarcValencePB. *If DMARC says p=reject, why shouldn't assp outright honor that*, regardless of if we have spf / dkim failures set to only score? Thanks Ken
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test