[opendmarc-users] Override Quarantine?

Simon Wilson simon at simonandkate.net
Thu Jul 15 19:27:41 PDT 2021 

----- Message from postfix at ptld.com ---------
    Date: Thu, 15 Jul 2021 21:04:17 -0400
    From: postfix at ptld.com
Subject: Re: [opendmarc-users] Override Quarantine?
      To: opendmarc-users at trusteddomain.org


>> On 07-15-2021 8:37 pm, Simon Wilson wrote:
>> Taking such a black and white view of processing inbound emails is,
>> IMHO, flawed. Your system, your choice and all that, but you **will**
>> end up with false positives proceeding down that path.
>
> What false positive? At this point DMARC has already failed, instead  
> of being rejected its being put into the black hole quarantine. Then  
> what? The user still isn't getting the email. It sits there never to  
> see the light of day until an administrator reviews it to either  
> delete or deliver. Privacy? You think users want me reading their  
> email playing arbitrator? At least with a reject a valid sender gets  
> feedback that the recipient never got the email.
>

You've missed my point... I choose to *accept*, NOT quarantine,  
p=quarantine DMARC fails and tag them accordingly for later  
Spamassassin scoring as part of delivery TO the end user, NOT for  
administrator reading/review. I have my system tuned so spam  
assessments mean valid email generally gets delivered, whether or not  
it has failed DMARC; DMARC in my system is part of an overall  
assessment - it is not a single definitive answer. If a DMARC fail is  
one component in an overall result of an email getting spam-flagged it  
is still delivered to the user - and placed in a spam folder based on  
a score they can choose/change.

>
>> Note the DMARC RFC:
>>  If email is subject to the DMARC policy of "quarantine", the Mail
>>    Receiver SHOULD quarantine the message.
>
> Yes, spam folder isn't quarantine and SHOULD isn't MUST. If one  
> wants to get "technical" opendmarc COULD offer a setting like  
> reject_quarantine=yes without breaking RFC.

Correct - spam folder is a result of 'accept, do not quarantine'
Should =/= must - also correct. Which is why I choose to NOT  
quarantine - I accept. Default mail server behaviour is to accept, not  
reject. Choosing not to follow a

SHOULD "quarantine" means "if you choose not to, fall back to the  
default" - not escalate to a more restrictive behaviour. Not applying  
a SHOULD means removing that action (thus falling to default), not  
replacing it with another (REJECT)... I have no desire to argue  
semantics of logic processing though, good luck with that part.

As to OpenDMARC offering a setting of reject quarantine - you are of  
course able to propose that to the open source project or write a  
patch. That would be assessed by the OpenDMARC community on its merit.

>
> Its ironic to me how everyone is such a stickler for the RFC's yet  
> use RBL's. Aren't people outright rejecting a message that the RFC  
> said you MUST accept or SHOULD have quarantined? There are spammers  
> who follow every RFC rule and their emails pass every test but still  
> get rejected against the RFC, where is the outrage! :)
>

Where does "the RFC" (which one BTW?) say a message MUST be accepted,  
I must have missed that bit.

At the end of the day I want valid email to get delivered to users  
(surely this is your objective also?). I achieve that to a VERY high %  
based on years of work, awesome advice from the same people who have  
been advising you, and a subjective email stack process which  
considers a range of inputs, including SPF, DKIM, DMARC, ARC, RBLs, etc.

>
>> However... if you are determined to not receive emails with
>> p=quarantine it is a trivial matter to have something like
>> SpamAssassin (or I assume rspamd etc, I don't use that) assess the
>> OpenDMARC AuthenticationResult header and kill-shot it (either as a
>> milter to reject or as part of later processing for internal discard).
>
> Yes, however that is still accepting then discarding and not rejecting.

Nope. Re-read what I wrote. If you are determined to *reject* (not  
discard) based on DMARC quarantine you can achieve this with spam  
processing in a milter. In case it was not obvious from the above, I  
don't think you should do this - but it can be done.

> Thank you for giving some other options.

You are most welcome. Like many others, I enjoy discussing this  
subject. A comment though - you may want to possibly temper the way  
you engage with the community. Your comments sometimes come over with  
a frustration which runs the risk of putting people off responding,  
which I don't think is what you are trying to achieve.



-- 
Simon Wilson
M: 0400 12 11 16

More information about the opendmarc-users mailing list