-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sun, 2019-06-02 at 20:12 +0000, Benjamin BILLON via mailop wrote: > If those emails seem to be sent from botnets, I believe they're not > sent from QQ.com. They have a SPF -all policy, a p=none DMARC policy, > and I can't check if they have DKIM but it's quite possible.
We get a little legit email from qq.com, but it is all DKIM signed. We don't directly check dmarc policy records, but the milter(1) here has the ability to essentially enforce a dmarc-like requirement. The end result is that we reject any mail claiming to be from qq.com that is not signed by qq.com, essentially changing their p=none to p=reject. (1) https://www.five-ten-sg.com/dnsbl/ We can (manually) compensate for errors in dmarc records. For example, booking.com has a p=reject, but we see mail "From:.*@booking.com" dkim signed by sg.booking.com. Strict dmarc would reject that. We enforce a requirement that mail from booking.com be signed by either booking.com or sg.booking.com. There are other domains with similar errors. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAlz1oTkACgkQL6j7milTFsEdEgCbBIJGU31kAaHGJ+lQGuf0pXFN ZRYAn3YpgZgXCyRCu/09Hw/IUSMWFJNs =upff -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop