Re: Custom DMARC_FAIL rule
On 11/27/18 7:46 AM, RW wrote: > On Mon, 26 Nov 2018 20:13:12 -0500 > Robert Fitzpatrick wrote: > >> I have the following custom rules working pretty well in testing, but >> ran into this message with two "Authentication-Results" headers: >> >>> Authentication-Results: mx3.webtent.org; dmarc=none (p=none >>> dis=none) header.from=email.monoprice.com >>> Authentication-Results: mx3.webtent.org; >>> dkim=fail reason="signature verification failed" (2048-bit >>> key; unprotected) header.d=email.monoprice.com >>> header.i=@email.monoprice.com header.b=JvTxQQIc >> >> This triggers DMARC_FAIL in my custom rules below, but all I want to >> pick up on is 'header.from' failures. What do I need to change the >> regular expression to also pick up on header.from in the header? >> Would I just add '.*header.form' after =fail? >> >>> # DMARC rules >>> header __DMARC_FAIL Authentication-Results =~ /webtent.org; >>> (dmarc|dkim)=fail / > > > dkim=fail doesn't imply the email failed DMARC. Just look for > dmarc=fail. Using header.from is just a roundabout way of eliminating > the unneccessary dkim=fail matches. > > Correct. For DMARC to pass _either_ SPF_PASS and aligns with the envelope-from domain _OR_ DKIM_VALID_AU which is a pass and alignment with the From: header domain. If both pass and align then that is even better. Keep it simple. (Adjust the "smtp.ena.net" for your own OpenDMARC AuthservID value.) header DMARC_PASS Authentication-Results =~ /smtp\.ena\.net; dmarc=pass/ describeDMARC_PASS DMARC check passed score DMARC_PASS -0.01 header DMARC_FAIL Authentication-Results =~ /smtp\.ena\.net; dmarc=fail/ describeDMARC_FAIL DMARC check failed score DMARC_FAIL 0.01 header DMARC_NONE Authentication-Results =~ /smtp\.ena\.net; dmarc=none/ describeDMARC_NONE DMARC check neutral score DMARC_NONE 0.01 header __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.ena\.net; dmarc=fail \(p=reject/ metaDMARC_FAIL_REJECT __DMARC_FAIL_REJECT && !ENA_TRUSTED_LIST describeDMARC_FAIL_REJECT DMARC check failed and the sending domains says to reject this message score DMARC_FAIL_REJECT 8.2 Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude certain senders or mailing lists from DMARC checks. -- David Jones
Re: Custom DMARC_FAIL rule
On Mon, 26 Nov 2018 20:13:12 -0500 Robert Fitzpatrick wrote: > I have the following custom rules working pretty well in testing, but > ran into this message with two "Authentication-Results" headers: > > > Authentication-Results: mx3.webtent.org; dmarc=none (p=none > > dis=none) header.from=email.monoprice.com > > Authentication-Results: mx3.webtent.org; > > dkim=fail reason="signature verification failed" (2048-bit > > key; unprotected) header.d=email.monoprice.com > > header.i=@email.monoprice.com header.b=JvTxQQIc > > This triggers DMARC_FAIL in my custom rules below, but all I want to > pick up on is 'header.from' failures. What do I need to change the > regular expression to also pick up on header.from in the header? > Would I just add '.*header.form' after =fail? > > > # DMARC rules > > header __DMARC_FAIL Authentication-Results =~ /webtent.org; > > (dmarc|dkim)=fail / dkim=fail doesn't imply the email failed DMARC. Just look for dmarc=fail. Using header.from is just a roundabout way of eliminating the unneccessary dkim=fail matches. > > meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID) Valid DKIM doesn't imply an email is not forged, the signature could be unrelated to the author. If you want a sanity check you can use DKIM_VALID_AU. > >header __DMARC_PASS Authentication-Results =~ /webtent.org; > > (dmarc|dkim)=pass / Again remove the dkim pass.
Custom DMARC_FAIL rule
I have the following custom rules working pretty well in testing, but ran into this message with two "Authentication-Results" headers: Authentication-Results: mx3.webtent.org; dmarc=none (p=none dis=none) header.from=email.monoprice.com Authentication-Results: mx3.webtent.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=email.monoprice.com header.i=@email.monoprice.com header.b=JvTxQQIc This triggers DMARC_FAIL in my custom rules below, but all I want to pick up on is 'header.from' failures. What do I need to change the regular expression to also pick up on header.from in the header? Would I just add '.*header.form' after =fail? # DMARC rules header __DMARC_FAIL Authentication-Results =~ /webtent.org; (dmarc|dkim)=fail / meta DMARC_FAIL (__DMARC_FAIL && !__DOS_HAS_LIST_ID && !__DOS_HAS_MAILING_LIST) describe DMARC_FAIL DMARC or DKIM authentication failed score DMARC_FAIL 3.7 meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID) describe WT_FORGED_SENDER To score high when DMARC fails w/o valid DKIM scoreWT_FORGED_SENDER 8.0 header __DMARC_PASS Authentication-Results =~ /webtent.org; (dmarc|dkim)=pass / meta DMARC_PASS (__DMARC_PASS && !DMARC_FAIL) describe DMARC_PASS DMARC or DKIM authentication valid tflags DMARC_PASS nice score DMARC_PASS -1.1 meta DMARC_NONE (!DMARC_PASS && !DMARC_FAIL) describe DMARC_NONE No DMARC or DKIM authentication score DMARC_NONE 0.001 Any suggestions for setting up DMARC custom rules appreciated. -- Robert
