On Mon, 26 Nov 2018 20:13:12 -0500 Robert Fitzpatrick wrote: > I have the following custom rules working pretty well in testing, but > ran into this message with two "Authentication-Results" headers: > > > Authentication-Results: mx3.webtent.org; dmarc=none (p=none > > dis=none) header.from=email.monoprice.com > > Authentication-Results: mx3.webtent.org; > > dkim=fail reason="signature verification failed" (2048-bit > > key; unprotected) header.d=email.monoprice.com > > header.i=@email.monoprice.com header.b=JvTxQQIc > > This triggers DMARC_FAIL in my custom rules below, but all I want to > pick up on is 'header.from' failures. What do I need to change the > regular expression to also pick up on header.from in the header? > Would I just add '.*header.form' after =fail? > > > # DMARC rules > > header __DMARC_FAIL Authentication-Results =~ /webtent.org; > > (dmarc|dkim)=fail /
dkim=fail doesn't imply the email failed DMARC. Just look for dmarc=fail. Using header.from is just a roundabout way of eliminating the unneccessary dkim=fail matches. > > meta WT_FORGED_SENDER (DMARC_FAIL && !DKIM_VALID) Valid DKIM doesn't imply an email is not forged, the signature could be unrelated to the author. If you want a sanity check you can use DKIM_VALID_AU. > >header __DMARC_PASS Authentication-Results =~ /webtent.org; > > (dmarc|dkim)=pass / Again remove the dkim pass.