[opendmarc-users] Override Quarantine?
Simon Wilson
simon at simonandkate.net
Thu Jul 15 19:27:41 PDT 2021
----- Message from postfix at ptld.com ---------
Date: Thu, 15 Jul 2021 21:04:17 -0400
From: postfix at ptld.com
Subject: Re: [opendmarc-users] Override Quarantine?
To: opendmarc-users at trusteddomain.org
>> On 07-15-2021 8:37 pm, Simon Wilson wrote:
>> Taking such a black and white view of processing inbound emails is,
>> IMHO, flawed. Your system, your choice and all that, but you **will**
>> end up with false positives proceeding down that path.
>
> What false positive? At this point DMARC has already failed, instead
> of being rejected its being put into the black hole quarantine. Then
> what? The user still isn't getting the email. It sits there never to
> see the light of day until an administrator reviews it to either
> delete or deliver. Privacy? You think users want me reading their
> email playing arbitrator? At least with a reject a valid sender gets
> feedback that the recipient never got the email.
>
You've missed my point... I choose to *accept*, NOT quarantine,
p=quarantine DMARC fails and tag them accordingly for later
Spamassassin scoring as part of delivery TO the end user, NOT for
administrator reading/review. I have my system tuned so spam
assessments mean valid email generally gets delivered, whether or not
it has failed DMARC; DMARC in my system is part of an overall
assessment - it is not a single definitive answer. If a DMARC fail is
one component in an overall result of an email getting spam-flagged it
is still delivered to the user - and placed in a spam folder based on
a score they can choose/change.
>
>> Note the DMARC RFC:
>> If email is subject to the DMARC policy of "quarantine", the Mail
>> Receiver SHOULD quarantine the message.
>
> Yes, spam folder isn't quarantine and SHOULD isn't MUST. If one
> wants to get "technical" opendmarc COULD offer a setting like
> reject_quarantine=yes without breaking RFC.
Correct - spam folder is a result of 'accept, do not quarantine'
Should =/= must - also correct. Which is why I choose to NOT
quarantine - I accept. Default mail server behaviour is to accept, not
reject. Choosing not to follow a
SHOULD "quarantine" means "if you choose not to, fall back to the
default" - not escalate to a more restrictive behaviour. Not applying
a SHOULD means removing that action (thus falling to default), not
replacing it with another (REJECT)... I have no desire to argue
semantics of logic processing though, good luck with that part.
As to OpenDMARC offering a setting of reject quarantine - you are of
course able to propose that to the open source project or write a
patch. That would be assessed by the OpenDMARC community on its merit.
>
> Its ironic to me how everyone is such a stickler for the RFC's yet
> use RBL's. Aren't people outright rejecting a message that the RFC
> said you MUST accept or SHOULD have quarantined? There are spammers
> who follow every RFC rule and their emails pass every test but still
> get rejected against the RFC, where is the outrage! :)
>
Where does "the RFC" (which one BTW?) say a message MUST be accepted,
I must have missed that bit.
At the end of the day I want valid email to get delivered to users
(surely this is your objective also?). I achieve that to a VERY high %
based on years of work, awesome advice from the same people who have
been advising you, and a subjective email stack process which
considers a range of inputs, including SPF, DKIM, DMARC, ARC, RBLs, etc.
>
>> However... if you are determined to not receive emails with
>> p=quarantine it is a trivial matter to have something like
>> SpamAssassin (or I assume rspamd etc, I don't use that) assess the
>> OpenDMARC AuthenticationResult header and kill-shot it (either as a
>> milter to reject or as part of later processing for internal discard).
>
> Yes, however that is still accepting then discarding and not rejecting.
Nope. Re-read what I wrote. If you are determined to *reject* (not
discard) based on DMARC quarantine you can achieve this with spam
processing in a milter. In case it was not obvious from the above, I
don't think you should do this - but it can be done.
> Thank you for giving some other options.
You are most welcome. Like many others, I enjoy discussing this
subject. A comment though - you may want to possibly temper the way
you engage with the community. Your comments sometimes come over with
a frustration which runs the risk of putting people off responding,
which I don't think is what you are trying to achieve.
--
Simon Wilson
M: 0400 12 11 16
More information about the opendmarc-users
mailing list