J Doe <gene...@nativemethods.com> writes: > I am currently using SpamAssassin 4.0.0 and I had a question on how I > can ensure that any e-mail from @gmail.com has a valid SPF and DKIM > signature.
You should phrase what you want more carefully. What I think you said is: I want that if mail comes in with a From: of *@gmail,com and if either SPF or DKIM fails, then I want to reject that mail. Be careful what you wish for. That will cause mailinglist mail to be rejected. Probably you should accept if DKIM passes, regardless of SPF. And maybe SPF without DKIM, but I doubt there is much mail like that. > I am aware that the following can be easily fooled, because it is not > checking SPF and DKIM: > > welcomelist_from *@gmail.com Not only that, it says that any such mail is accepted, which is not what you said. > > ... so to ensure valid SPF and DKIM, I believe I would need: > > welcomelist_from_spf *@gmail.com > welcomelist_from_dkim *@gmail.com > > ... or *two* entries. That means that anything that passes spf is accepted and anything that passes dkim. But that's not what you said; you said "ensure" which means that you *reject* things that do not have both. And then you stilld do spam filtering on things that you didn't reject outright. There is a lot of DKIM-signed SPF-compliant spam from gmail. They let people sign up for accounts, and some of them spam. So "accept all mail from gmail" is not a sensible policy. Rejecting mail that claims to be grom gmail but isn't is more sensible, but you need to understand that many mailinglists (incorrectly) munge mail and cause it to fail DKIM, and of course SPF doesn't match. What I do is assign a few spam points for gmail and add welcomelist_from_dkim for people I know, or welcomelist_from_rcvd for people on lists from the list sender.