Re: Custom DMARC_FAIL rule

Tue, 27 Nov 2018 14:11:22 -0800 

On 11/27/18 7:46 AM, RW wrote:
> On Mon, 26 Nov 2018 20:13:12 -0500
> Robert Fitzpatrick wrote:
> 
>> I have the following custom rules working pretty well in testing, but
>> ran into this message with two "Authentication-Results" headers:
>>
>>> Authentication-Results: mx3.webtent.org; dmarc=none (p=none
>>> dis=none) header.from=email.monoprice.com
>>> Authentication-Results: mx3.webtent.org;
>>>     dkim=fail reason="signature verification failed" (2048-bit
>>> key; unprotected) header.d=email.monoprice.com
>>> header.i=@email.monoprice.com header.b=JvTxQQIc
>>
>> This triggers DMARC_FAIL in my custom rules below, but all I want to
>> pick up on is 'header.from' failures. What do I need to change the
>> regular expression to also pick up on header.from in the header?
>> Would I just add '.*header.form' after =fail?
>>
>>> # DMARC rules
>>> header __DMARC_FAIL Authentication-Results =~ /webtent.org;
>>> (dmarc|dkim)=fail /
> 
> 
> dkim=fail doesn't imply the email failed DMARC. Just look for
> dmarc=fail. Using header.from is just a roundabout way of eliminating
> the unneccessary dkim=fail matches.
> 
> 

Correct.  For DMARC to pass _either_ SPF_PASS and aligns with the 
envelope-from domain _OR_ DKIM_VALID_AU which is a pass and alignment 
with the From: header domain.  If both pass and align then that is even 
better.

Keep it simple.  (Adjust the "smtp.ena.net" for your own OpenDMARC 
AuthservID value.)


header          DMARC_PASS      Authentication-Results =~ /smtp\.ena\.net; 
dmarc=pass/
describe        DMARC_PASS      DMARC check passed
score           DMARC_PASS      -0.01

header          DMARC_FAIL      Authentication-Results =~ /smtp\.ena\.net; 
dmarc=fail/
describe        DMARC_FAIL      DMARC check failed
score           DMARC_FAIL      0.01

header          DMARC_NONE      Authentication-Results =~ /smtp\.ena\.net; 
dmarc=none/
describe        DMARC_NONE      DMARC check neutral
score           DMARC_NONE      0.01

header          __DMARC_FAIL_REJECT     Authentication-Results =~ 
/smtp\.ena\.net; 
dmarc=fail \(p=reject/
meta            DMARC_FAIL_REJECT       __DMARC_FAIL_REJECT && !ENA_TRUSTED_LIST
describe        DMARC_FAIL_REJECT       DMARC check failed and the sending 
domains 
says to reject this message
score           DMARC_FAIL_REJECT       8.2


Adjust the ENA_TRUSTED_LIST above to whatever you want to do to exclude 
certain senders or mailing lists from DMARC checks.

-- 
David Jones

Reply via email to