[opendmarc-users] OpenDMARC as the final authentication service - suggestion

[Bartosz Rudnicki]

After a brief time of using OpenDMARC milter, I came to the conclusion 
that an additional post-processing is needed in order to expand some 
authentication polices.

In most cases, OpenDMARC milter is located after DKIM and SPF 
authentication mechanisms. For this reason earlier authentication 
services are forced to pass every single message to further DMARC 
analysis. This necessity reduces originally functionality of the 
mentioned policy services to purely appending auth-results headers. In 
such scenario, we would expect that OpenDMARC will apply policies also 
for SPF and/or DKIM fails if DMARC record is omitted. Unfortunately, 
currently OpenDMARC does not provide any functionality to handle 
outlined messages. Due to these disadvantages, messages which failed 
e.g. SPF validation (but were passed through OpenDMARC) must be 
additionally filtered at MTA stage or some kind of content filtering. As 
an example may be SpamAssassin content filter, which will marks such 
messages as spam - It is a common solution but it does not allow reject 
such messages at SMTP stage.

As an example I will use Postfix MTA, which due to its architecture 
needs an additional milter application to reject such forged message at 
SMTP stage. This creates the need to install yet another milter 
application only to logical interpretation of auth-results headers and 
raise rejection action if needed. I would like to mention, that it is 
hard to implement that in the Postfix's built-in header checks due to 
simplicity of these functionalities.

In conclusion I would like to suggest a set of new options in OpenDMARC 
implementation, which would add a very comfortable functionality to 
apply policies in case when DMARC record is missing at the SMTP stage.

/DefaultSpfFail /- indicates action when DMARC record is omitted and SPF 
validation returns hard fail

/DefaultSpfSoftFail /- indicates action when DMARC record is omitted and 
SPF validation returns soft fail

/DefaultBadSignature /- indicates action when DMARC record is omitted 
and DKIM signature fails to validate (equal to OpenDKIM /On-BadSignature 
/option)

possible values would be: /accept/, /discard/, /quarantine/, reject or 
/tempfail/

Additionally, very useful option according to DMARC policies would be:

/OnFailure /- indicates action if message fail the DMARC evaluation and 
sender's DMARC policy is set to "reject" ("dmarc=fail" and "p=reject" in 
the DMARC AR header)

/OnQuarantine /- indicates action if message fail the DMARC evaluation 
and sender's DMARC policy is set to "quarantine" ("dmarc=fail" and 
"p=quarantine" in the DMARC AR header)

Possible values for these settings would be the same as those for 
aforementioned options. These two options would make an old 
/RejectFailures /option deprecated.


I would like to ask for your opinion about my suggestions and after 
optional improvements, pass into the hands of developers. Additionally 
you can share yours workarounds about filtering messages with no DMARC 
evaluation available.

Bartosz R

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20161211/45363811/attachment.htm>