On 11/27/18 7:46 AM, RW wrote: > On Mon, 26 Nov 2018 20:13:12 -0500 > Robert Fitzpatrick wrote: > >> I have the following custom rules working pretty well in testing, but >> ran into this message with two "Authentication-Results" headers: >> >>> Authentication-Results: mx3.webtent.org; dmarc=none (p=none >>> dis=none) header.from=email.monoprice.com >>> Authentication-Results: mx3.webtent.org; >>> dkim=fail reason="signature verification failed" (2048-bit >>> key; unprotected) header.d=email.monoprice.com >>> header.i=@email.monoprice.com header.b=JvTxQQIc >> >> This triggers DMARC_FAIL in my custom rules below, but all I want to >> pick up on is 'header.from' failures. What do I need to change the >> regular expression to also pick up on header.from in the header? >> Would I just add '.*header.form' after =fail? >> >>> # DMARC rules >>> header __DMARC_FAIL Authentication-Results =~ /webtent.org; >>> (dmarc|dkim)=fail / > > > dkim=fail doesn't imply the email failed DMARC. Just look for > dmarc=fail. Using header.from is just a roundabout way of eliminating > the unneccessary dkim=fail matches. > >
Correct. For DMARC to pass _either_ SPF_PASS and aligns with the envelope-from domain _OR_ DKIM_VALID_AU which is a pass and alignment with the From: header domain. If both pass and align then that is even better. Keep it simple. (Adjust the "smtp.ena.net" for your own OpenDMARC AuthservID value.) header DMARC_PASS Authentication-Results =~ /smtp\.ena\.net; dmarc=pass/ describe DMARC_PASS DMARC check passed score DMARC_PASS -0.01 header DMARC_FAIL Authentication-Results =~ /smtp\.ena\.net; dmarc=fail/ describe DMARC_FAIL DMARC check failed score DMARC_FAIL 0.01 header DMARC_NONE Authentication-Results =~ /smtp\.ena\.net; dmarc=none/ describe DMARC_NONE DMARC check neutral score DMARC_NONE 0.01 header __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.ena\.net; dmarc=fail \(p=reject/ meta DMARC_FAIL_REJECT __DMARC_FAIL_REJECT && !ENA_TRUSTED_LIST describe DMARC_FAIL_REJECT DMARC check failed and the sending domains says to reject this message score DMARC_FAIL_REJECT 8.2 Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude certain senders or mailing lists from DMARC checks. -- David Jones