All of your points are clear, and the explanation is greatly appreciated. I now understand why it may be unwise to generally honor reject DMARC policy if we've overridden spf/dkim policy once we start manipulating results with ASSP. That makes sense.
I still feel like a *blockStrictDKIMRe* type of new feature, where a failed OR missing dkim signature where the message matches the regex would be strictly blocked (just like we can do with blockstrictSPFRe for spf failures) would be helpful. For example (hopefully this is more illustrative of the desire), I want to outright block any message from @*.docusign.net that isn't signed or that has an invalid signature. I don't care if it's from a whitelisted email address, from an IP that's in the SPF record, and with a message body that is 100% great. If there's no DKIM signature or an invalid one for a message that matches the regex, reject the message (just like their DMARC policy says to do). Is there another way with current ASSP features to accomplish this only if a message matches this proposed regex? Ken On Fri, Jun 17, 2022 at 4:35 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >*Would you please consider adding a feature to do the same for a failed > DKIM signature?* > > NO! > > Contrary to SPF, a DKIM signature has only two options : OK and FAIL - > Based on the signature it self or based on a trusted forwarders > authentication result (ARC). > A DKIM signature has to be valid every time for any of the above reasons. > > > I score failed spf and score failed dkim, so DoDMARC is only scoring > even though p=reject. > > What else makes sense? > If SPF is scored and DKIM is scored and DMARC is score - AND the resulting > score does'nt block the mail at the pealtybox, your settings are wrong! > > > >*If DMARC says p=reject, why shouldn't assp outright honor that*, > regardless of if we have spf / dkim failures set to only score? > > SPF has too many options to change/override the original result in assp > (more or less strict, overwrite, skip ....), some these options also exists > for DKIM. > If we ignore/change/override .... sender policies for SPF and DKIM, it is > not wise to honor the reject DMARC policy strictly. > > Thomas > > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 16.06.2022 19:28 > Betreff: [Assp-test] blockStrictDKIMRe -- also thoughts on DMARC > rejects > ------------------------------ > > > > The ability to block failed SPF, instead of just scoring them, for > delect regex matches has been a terrific feature of ASSP for a long time. > (Block SPF Processing Regex* (blockstrictSPFRe) ) *Would you please > consider adding a feature to do the same for a failed DKIM signature?* > Outright blocking of a matching message that fails DKIM, regardless of the > domain's DMARC settings. -- maybe that's not necessary if DoDMARC will > honor =reject, see more below. > > Reasoning: > I already score failed DKIM signatures, but I can't set that score too > high because so many organizations still send messages through 3rd parties > with invalid DKIM signatures. It really is incredible how many I see. But > for frequently abused sender addresses (docusign for example), who are > often spoofed but send otherwise unspammy content, I want to outright block > if the DKIM signature fails. blockStrictSPFRe usually works because these > bad DKIM sigs are on mails that also violate SPF rules, still though it > would be helpful if I could also just say "if a specific regex is matched > on an email with an invalid DKIM, reject the message" > > RELATED: DMARC p=reject should always reject if failed > Docusign.net has a dmarc rule of p=reject. I want to honor that. The > last scam that came in from them failed SPF and failed DKIM validation, but > the message was from a whitelisted address.. DoDMARC says that the > blocking will be the "most less aggressive" (least aggressive) and the > published DMARC record. I score failed spf and score failed dkim, so > DoDMARC is only scoring even though p=reject. > > Enable DMARC Check (DoDMARC) > If enabled and ValidateSPF and DoDKIM are enabled and the sending domain > has published a DMARC-record/policy, assp will act on the mail according to > the senders DMARC-policy using the results of the SPF and DKIM check and > validating the SPF/DKIM address/domain Identifier Alignment rules (RFC7489 > section 3). It is safe to leave this feature ON, it will not produce false > positives! The blocking mode (block, monitor, score, testmode) is adapted > from the most less aggressive setting of ValidateSPF and DoDKIM - and the > published DMARC record ([p][sp]=[reject][quarantine]). Scoring is done > using dmarcValencePB. > > *If DMARC says p=reject, why shouldn't assp outright honor that*, > regardless of if we have spf / dkim failures set to only score? > > Thanks > Ken > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
