[opendmarc-users] Override Quarantine?
Simon Wilson
simon at simonandkate.net
Thu Jul 15 17:37:00 PDT 2021
----- Message from postfix at ptld.com ---------
Date: Thu, 15 Jul 2021 19:09:58 -0400
From: postfix at ptld.com
Subject: [opendmarc-users] Override Quarantine?
To: opendmarc-users at trusteddomain.org
> Is there anyway to override policies and have opendmarc treat a
> p=quarantine as p=reject?
> Or is my mail hold queue beholden to the whims of someone else?
>
> Thanks.
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
----- End message from postfix at ptld.com -----
Hi
Taking such a black and white view of processing inbound emails is,
IMHO, flawed. Your system, your choice and all that, but you **will**
end up with false positives proceeding down that path. I have lost
count of the number of valid email systems "out there" sending valid
emails to my users which fail SPF, DKIM, DMARC. Over many years I have
somewhat relaxed initial inbound rejects in favour of later more
subjective and holistic assessments.
If you are trying to run a system which delivers as much real non-spam
to real users and reject as much actual spam, then your stated
requirement will not achieve that.
As such my suggestion would be absolutely USE the results of those
tests, but as contribution to a broader email assessment - such as can
be done by SpamAssassin. I have local SA rules which apply a
not-insignificant negative score:
header LR_DMARC_FAIL_QUARANTINE Authentication-Results =~
/mail\.simonandkate\.net; dmarc=fail \(p=quarantine/
describe LR_DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
score LR_DMARC_FAIL_QUARANTINE 2.0
... which based on the email history for *my* system is just enough to
trip genuine spam over the threshold where a DMARC quarantine fail is
a contributing factor.
Note the DMARC RFC:
If email is subject to the DMARC policy of "quarantine", the Mail
Receiver SHOULD quarantine the message.
As OpenDMARC aims to follow the RFC (some may question its success in
always doing so, but that's a bit off-topic!), the choices it gives
you follows the RFC (shouldn't be a surprise really); so it will
quarantine or pass p=quarantine emails, dependent on the setting of
HoldQuarantinedMessages (you *have* read the man pages?).
> Or is my mail hold queue beholden to the whims of someone else?
Of course not. You can reject or throw away any email you want to -
begs the question why you are running an email system if you don't
want to receive valid* email though.
*valid = not necessarily technically properly setup, but sent without
bad intentions to real users and not spam.
However... if you are determined to not receive emails with
p=quarantine it is a trivial matter to have something like
SpamAssassin (or I assume rspamd etc, I don't use that) assess the
OpenDMARC AuthenticationResult header and kill-shot it (either as a
milter to reject or as part of later processing for internal discard).
Simon.
--
Simon Wilson
M: 0400 12 11 16
More information about the opendmarc-users
mailing list