On Apr 30, 2014, at 5:05 AM, Christian Laußat <us...@spamassassin.shambhu.info> wrote:
> Am 30.04.2014 12:34, schrieb Michael Storz: >> Am 2014-04-30 11:00, schrieb Axb: >>> On 04/30/2014 10:30 AM, Michael Storz wrote: >>> and in the meantime may want to look at >>> http://sourceforge.net/projects/opendmarc/ >> OpenDMARC is ok for the original goal of DMARC, protecting >> transactional email, but not for email from normal ISPs like AOL and >> Yahoo. SA ist at the moment the better and in my eyes the only >> feasible solution. > > OpenDMARC also works well as a classifier in front of SA. The default config > doesn't reject mails, it only adds an Authentication-Results header which you > can use in SA: > > header DMARC_PASS Authentication-Results =~ /YourAuthserverID; dmarc=pass / > describe DMARC_PASS DMARC validation seems valid > tflags DMARC_PASS nice > score DMARC_PASS -1.1 > > header DMARC_FAIL Authentication-Results =~ /YourAuthserverID; dmarc=fail / > describe DMARC_FAIL DMARC validation failed > score DMARC_FAIL 3.7 > I kind of like this idea, because many domains publishes a monitoring policy. So openDMARC may fail the message but still accept it… Anyhow, there are some missing rules in spamassassin to move to better domain responsibility: -From: header is present and there is only one header -extract all domains in envelope-from, from, rcpt-to, sender and make sure they do exists and have either MX, A or AAAA record. -extract all the above domains and domains from helo and dkim d= and ensure they are no in spamhaus DBL, SURBL or URIBL - ...
signature.asc
Description: Message signed with OpenPGP using GPGMail