[opendmarc-users] OpenDMARC as the final authentication service - suggestion
Bartosz Rudnicki
bartek at rudnicki.szczecin.pl
Sun Dec 11 04:46:48 PST 2016
After a brief time of using OpenDMARC milter, I came to the conclusion
that an additional post-processing is needed in order to expand some
authentication polices.
In most cases, OpenDMARC milter is located after DKIM and SPF
authentication mechanisms. For this reason earlier authentication
services are forced to pass every single message to further DMARC
analysis. This necessity reduces originally functionality of the
mentioned policy services to purely appending auth-results headers. In
such scenario, we would expect that OpenDMARC will apply policies also
for SPF and/or DKIM fails if DMARC record is omitted. Unfortunately,
currently OpenDMARC does not provide any functionality to handle
outlined messages. Due to these disadvantages, messages which failed
e.g. SPF validation (but were passed through OpenDMARC) must be
additionally filtered at MTA stage or some kind of content filtering. As
an example may be SpamAssassin content filter, which will marks such
messages as spam - It is a common solution but it does not allow reject
such messages at SMTP stage.
As an example I will use Postfix MTA, which due to its architecture
needs an additional milter application to reject such forged message at
SMTP stage. This creates the need to install yet another milter
application only to logical interpretation of auth-results headers and
raise rejection action if needed. I would like to mention, that it is
hard to implement that in the Postfix's built-in header checks due to
simplicity of these functionalities.
In conclusion I would like to suggest a set of new options in OpenDMARC
implementation, which would add a very comfortable functionality to
apply policies in case when DMARC record is missing at the SMTP stage.
/DefaultSpfFail /- indicates action when DMARC record is omitted and SPF
validation returns hard fail
/DefaultSpfSoftFail /- indicates action when DMARC record is omitted and
SPF validation returns soft fail
/DefaultBadSignature /- indicates action when DMARC record is omitted
and DKIM signature fails to validate (equal to OpenDKIM /On-BadSignature
/option)
possible values would be: /accept/, /discard/, /quarantine/, reject or
/tempfail/
Additionally, very useful option according to DMARC policies would be:
/OnFailure /- indicates action if message fail the DMARC evaluation and
sender's DMARC policy is set to "reject" ("dmarc=fail" and "p=reject" in
the DMARC AR header)
/OnQuarantine /- indicates action if message fail the DMARC evaluation
and sender's DMARC policy is set to "quarantine" ("dmarc=fail" and
"p=quarantine" in the DMARC AR header)
Possible values for these settings would be the same as those for
aforementioned options. These two options would make an old
/RejectFailures /option deprecated.
I would like to ask for your opinion about my suggestions and after
optional improvements, pass into the hands of developers. Additionally
you can share yours workarounds about filtering messages with no DMARC
evaluation available.
Bartosz R
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20161211/45363811/attachment.htm>
More information about the opendmarc-users
mailing list