[opendmarc-users] Override Quarantine?

Simon Wilson simon at simonandkate.net
Thu Jul 15 17:37:00 PDT 2021 

----- Message from postfix at ptld.com ---------
    Date: Thu, 15 Jul 2021 19:09:58 -0400
    From: postfix at ptld.com
Subject: [opendmarc-users] Override Quarantine?
      To: opendmarc-users at trusteddomain.org


> Is there anyway to override policies and have opendmarc treat a  
> p=quarantine as p=reject?
> Or is my mail hold queue beholden to the whims of someone else?
>
> Thanks.
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users


----- End message from postfix at ptld.com -----

Hi

Taking such a black and white view of processing inbound emails is,  
IMHO, flawed. Your system, your choice and all that, but you **will**  
end up with false positives proceeding down that path. I have lost  
count of the number of valid email systems "out there" sending valid  
emails to my users which fail SPF, DKIM, DMARC. Over many years I have  
somewhat relaxed initial inbound rejects in favour of later more  
subjective and holistic assessments.

If you are trying to run a system which delivers as much real non-spam  
to real users and reject as much actual spam, then your stated  
requirement will not achieve that.

As such my suggestion would be absolutely USE the results of those  
tests, but as contribution to a broader email assessment - such as can  
be done by SpamAssassin. I have local SA rules which apply a  
not-insignificant negative score:

  header LR_DMARC_FAIL_QUARANTINE Authentication-Results =~  
/mail\.simonandkate\.net; dmarc=fail \(p=quarantine/
  describe LR_DMARC_FAIL_QUARANTINE DMARC check failed (p=quarantine)
  score LR_DMARC_FAIL_QUARANTINE 2.0

... which based on the email history for *my* system is just enough to  
trip genuine spam over the threshold where a DMARC quarantine fail is  
a contributing factor.

Note the DMARC RFC:

   If email is subject to the DMARC policy of "quarantine", the Mail
     Receiver SHOULD quarantine the message.

As OpenDMARC aims to follow the RFC (some may question its success in  
always doing so, but that's a bit off-topic!), the choices it gives  
you follows the RFC (shouldn't be a surprise really); so it will  
quarantine or pass p=quarantine emails, dependent on the setting of  
HoldQuarantinedMessages (you *have* read the man pages?).

> Or is my mail hold queue beholden to the whims of someone else?

Of course not. You can reject or throw away any email you want to -  
begs the question why you are running an email system if you don't  
want to receive valid* email though.

*valid = not necessarily technically properly setup, but sent without  
bad intentions to real users and not spam.

However... if you are determined to not receive emails with  
p=quarantine it is a trivial matter to have something like  
SpamAssassin (or I assume rspamd etc, I don't use that) assess the  
OpenDMARC AuthenticationResult header and kill-shot it (either as a  
milter to reject or as part of later processing for internal discard).

Simon.


-- 
Simon Wilson
M: 0400 12 11 16

More information about the opendmarc-users mailing list