Alex, #1 you can use the welcomelist entries but NOT the welcomelist_auth entries if DMARC is failing.
#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that we are working through, sorry to say it's been rougher than I wanted too. But we have it in production and we are working on edge cases from my end. #3 At my work at PCCC, we changed some concepts to install the KAM rules so they are parsed after the stock rules for some of the default DMARC scores to change too. We used a new option for sa-update that Henrik added to do this. I'll ask for some info about it and test that pastebin to see if it fails on our system too. I was also discussing more DMARC/DKIM regression tests are needed. It's too fragile. Regards, KAM -- Kevin A. McGrail Member, Apache Software Foundation Chair Emeritus Apache SpamAssassin Project https://www.linkedin.com/in/kmcgrail - 703.798.0171 On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstud...@gmail.com> wrote: > Hi, I think this is another - this one also includes KAM_DMARC_REJECT > > https://pastebin.com/9g9VrgVK > > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily > * valid > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature > * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message > * and the domain has a DMARC reject policy > * 1.8 DMARC_REJECT DMARC reject policy > > Can this info even be added to the welcomelist or will that also now fail? > > > > On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstud...@gmail.com> wrote: > >> Hi, is it possible the DMARC_REJECT problem still exists? >> >> https://pastebin.com/DCu9cq4t >> >> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature >> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily >> * valid >> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from >> author's >> * domain >> * 1.8 DMARC_REJECT DMARC reject policy >> >> Authentication-Results: xavier.example.com (amavisd-new); >> dkim=pass (1024-bit key) header.d=hotwire.com >> header.b="NEdhsCdV"; >> dkim=pass (1024-bit key) header.d=amazonses.com >> header.b="UglVB1nr" >> >> $ spamassassin --version >> SpamAssassin version 4.0.0-r1900583 >> running on Perl version 5.34.1 >> >> >> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstud...@gmail.com> wrote: >> >>> Hi, >>> >>> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgr...@apache.org> >>> wrote: >>> >>>> I believe this is a bug and fixed in trunk. >>>> >>>> On 5/10/2022 1:55 PM, Bill Cole wrote: >>>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and >>>> also DMARC_REJECT and/or KAM_DMARC_REJECT >>>> >>> >>> >>> This was from svn version 1900493. I've now checked out 1900794, but >>> that somehow appears different from the version SA reports? >>> >>> $ spamassassin --version >>> SpamAssassin version 4.0.0-r1900583 >>> running on Perl version 5.34.1 >>> >>> My firstdata email does appear to now pass DKIM properly, >>> without DMARC_REJECT or KAM_DMARC_REJECT. >>> >>> Any idea under what circumstances the DKIM check fails so I can watch >>> for it? Or can we consider it solved? >>> >>> >>>
