<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>After a brief time of using OpenDMARC milter, I came to the
conclusion that an additional post-processing is needed in order
to expand some authentication polices.<br>
</p>
<p>In most cases, OpenDMARC milter is located after DKIM and SPF
authentication mechanisms. For this reason earlier authentication
services are forced to pass every single message to further DMARC
analysis. This necessity reduces originally functionality of the
mentioned policy services to purely appending auth-results
headers. In such scenario, we would expect that OpenDMARC will
apply policies also for SPF and/or DKIM fails if DMARC record is
omitted. Unfortunately, currently OpenDMARC does not provide any
functionality to handle outlined messages. Due to these
disadvantages, messages which failed e.g. SPF validation (but were
passed through OpenDMARC) must be additionally filtered at MTA
stage or some kind of content filtering. As an example may be
SpamAssassin content filter, which will marks such messages as
spam - It is a common solution but it does not allow reject such
messages at SMTP stage.</p>
<p>As an example I will use Postfix MTA, which due to its
architecture needs an additional milter application to reject such
forged message at SMTP stage. This creates the need to install yet
another milter application only to logical interpretation of
auth-results headers and raise rejection action if needed. I would
like to mention, that it is hard to implement that in the
Postfix's built-in header checks due to simplicity of these
functionalities. <br>
</p>
<p>In conclusion I would like to suggest a set of new options in
OpenDMARC implementation, which would add a very comfortable
functionality to apply policies in case when DMARC record is
missing at the SMTP stage.<br>
</p>
<p><i>DefaultSpfFail </i>- indicates action when DMARC record is
omitted and SPF validation returns hard fail<br>
</p>
<p><i>DefaultSpfSoftFail </i>- indicates action when DMARC record
is omitted and SPF validation returns soft fail</p>
<p><i>DefaultBadSignature </i>- indicates action when DMARC record
is omitted and DKIM signature fails to validate (equal to OpenDKIM
<i>On-BadSignature </i>option)<br>
</p>
<p>possible values would be: <i>accept</i>, <i>discard</i>, <i>quarantine</i>,
reject or <i>tempfail</i></p>
<p>Additionally, very useful option according to DMARC policies
would be:</p>
<p><i>OnFailure </i>- indicates action if message fail the DMARC
evaluation and sender's DMARC policy is set to "reject"
("dmarc=fail" and "p=reject" in the DMARC AR header)</p>
<p><i>OnQuarantine </i>- indicates action if message fail the DMARC
evaluation and sender's DMARC policy is set to "quarantine"
("dmarc=fail" and "p=quarantine" in the DMARC AR header)</p>
<p>Possible values for these settings would be the same as those for
aforementioned options. These two options would make an old <i>RejectFailures
</i>option deprecated.</p>
<p><br>
</p>
<p>I would like to ask for your opinion about my suggestions and
after optional improvements, pass into the hands of developers.
Additionally you can share yours workarounds about filtering
messages with no DMARC evaluation available.</p>
<p>Bartosz R<br>
</p>
</body>
</html>