> The DMARC standard says that EITHER (only takes one) SPF must pass and align with the envelope-from domain OR DKIM must pass and align with the the From: header domain.
The relevant DNS R allows requiring both SPF and DKIM must pass, which is what we do in our own setup. When checking for SPAM we apply the same policy to others, regardless of their DNS. We are very strict, above and beyond the standards. Our general policy is: better safe than sorry. Sent from ProtonMail Mobile On Wed, Oct 25, 2017 at 5:30 PM, David Jones <djo...@ena.com> wrote: > On 10/25/2017 09:39 AM, Rupert Gallagher wrote: > >> -------- Original > Message -------- >> Subject: Re: Bank fraud phish >> Local Time: 25 October > 2017 4:18 PM >> UTC Time: 25 October 2017 14:18 >> From: > rwmailli...@googlemail.com >> To: users@spamassassin.apache.org >> >> On Wed, > 25 Oct 2017 09:16:50 -0400 >> Rupert Gallagher wrote: >> >> The e-mail is > still flagged as SPAM here. >> >> * >> DMARC fails, because it passes DKIM, > but fails SPF. >> >> This is wrong in every detail. >> >> It can't fail or > pass DMARC because the domain welchtitles.com >> doesn't >> have a DMARC > record. >> >> If it did have a record it would pass DMARC because it doesn't > >> have an >> aligned DKIM pass, but does have an aligned SPF pass. > > We > run DMARC compliance tests even if the sending domain does not adopt > the > standard. That is not practical across the board and not wise. Spammers can > setup SPF and DKIM alignment plus a DMARC record to make it perfect. You may > decide to whitelist_auth trusted good senders or subtract points but you > can't add points when the opposite is true unless you have manually verified > the sender is a spammer and created a blacklist_from entry for that domain. > The DMARC standard says that EITHER (only takes one) SPF must pass and align > with the envelope-from domain OR DKIM must pass and align with the the From: > header domain. DMARC doesn't require both to pass and align but it's best > when it does. > https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ The only > valid way to do DMARC checks with SpamAssassin today is to run something like > OpenDMARC on your milter and check headers with custom local SA custom rules. > That is what I do. As a sender, it takes a lot of work to get DMARC passing > so you can't assume that every sender is ready to for DMARC checks and they > just forgot to setup their _dmarc TXT record. This may work locally in a > small environment but it won't scale out with larger environments without a > lot of false positives. > Concerning SPF, the domain is *now* listing > outlook.com as permitted > sender. The original > header includes evidence of > the change: > > > Received-SPF: None (protection.outlook.com: welchtitles.com > does not > designate permitted sender hosts) > > > -- David Jones
