> Should all paypal email have a return-path/envelope sender address as > paypal.com (http://paypal.com/)? Yes, unless the message was sent through a forwarder. Then the envelope sender will be generated by the forwarding MTA. Also, remember that PayPal has other domains besides paypal.com (paypal.co.uk, paypal.com.mx, etc...) > DKIM is based on the From address, so if it passes DKIM_VALID_AU, doesn't > that mean the From address (serv...@paypal.com (mailto:serv...@paypal.com)) > is authenticated? Yes > Can I use spamassassin -D on an email I've already received to confirm DKIM > signature? Yes, as long as the sender hasn't changed their selectors/keys in the meantime. -Kent
On Thu, Nov 7, 2024 at 07:56 AM, Alex <mysqlstud...@gmail.com> wrote: > welcomelist_auth *@ paypal.com [2] > blocklist_from *@ paypal.com [2] the dkim is imho 100% invalid, there missing important headers dkim signed, eg message-id, doh, reuse forgin CAUTION: External email from: mysqlstudent@gmail.com Use caution before clicking on links or opening attachments. Protection by MXGuardian (https://mxguardian.net) > welcomelist_auth *@paypal.com (http://paypal.com) [2] > blocklist_from *@paypal.com (http://paypal.com) [2] the dkim is imho 100% invalid, there missing important headers dkim signed, eg message-id, doh, reuse forgin is very simple then Should all paypal email have a return-path/envelope sender address as paypal.com (http://paypal.com)? DKIM is based on the From address, so if it passes DKIM_VALID_AU, doesn't that mean the From address (serv...@paypal.com (mailto:serv...@paypal.com)) is authenticated? Can I use spamassassin -D on an email I've already received to confirm DKIM signature? for spamassassin we could add selector blacklistning to solve thease cases if i get the whole email unedited i can make a yara rule to catch it I will forward it to you separately. I'd be interested in hearing more about blocking based on DKIM selector. Do you have more information on this? I'm aware of yara rules, but can you share more about how you would do this as it applies to SA and how to create the signatures? Is this really any better than reporting to DCC/pyzor/razor and/or clamav or other signature services?
