On 10/25/2017 09:39 AM, Rupert Gallagher wrote:
-------- Original Message --------
Subject: Re: Bank fraud phish
Local Time: 25 October 2017 4:18 PM
UTC Time: 25 October 2017 14:18
From: rwmailli...@googlemail.com
To: users@spamassassin.apache.org
On Wed, 25 Oct 2017 09:16:50 -0400
Rupert Gallagher wrote:
The e-mail is still flagged as SPAM here.
*
DMARC fails, because it passes DKIM, but fails SPF.
This is wrong in every detail.
It can't fail or pass DMARC because the domain welchtitles.com
<http://welchtitles.com> doesn't
have a DMARC record.
If it did have a record it would pass DMARC because it doesn't
have an
aligned DKIM pass, but does have an aligned SPF pass.
We run DMARC compliance tests even if the sending domain does not adopt
the standard.
That is not practical across the board and not wise. Spammers can setup
SPF and DKIM alignment plus a DMARC record to make it perfect. You may
decide to whitelist_auth trusted good senders or subtract points but you
can't add points when the opposite is true unless you have manually
verified the sender is a spammer and created a blacklist_from entry for
that domain.
The DMARC standard says that EITHER (only takes one) SPF must pass and
align with the envelope-from domain OR DKIM must pass and align with the
the From: header domain. DMARC doesn't require both to pass and align
but it's best when it does.
https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/
The only valid way to do DMARC checks with SpamAssassin today is to run
something like OpenDMARC on your milter and check headers with custom
local SA custom rules. That is what I do.
As a sender, it takes a lot of work to get DMARC passing so you can't
assume that every sender is ready to for DMARC checks and they just
forgot to setup their _dmarc TXT record. This may work locally in a
small environment but it won't scale out with larger environments
without a lot of false positives.
Concerning SPF, the domain is *now* listing outlook.com as permitted
sender. The original
header includes evidence of the change:
> Received-SPF: None (protection.outlook.com: welchtitles.com does not
designate permitted sender hosts)
--
David Jones