On 11/15/19 12:35 AM, Kevin A. McGrail wrote: > The DMARC Reject rule is about whether a domain has failed DKIM and has > a DMARC reject policy. I will add descriptions to these rules ASAP. > Thanks. > > We have encapsulated the rules in a check for DKIM and SPF. > > Best to report issues with KAM.cf as noted in the file :-) Happy to > look at samples. I would imagine you might have something breaking DKIM > in your environment with FPs as my first guess. We've had this in > production and so does another ISP with no other FPs reported. >
While I am for this rule helping all SA instances with KAM.cf added, it's pretty risky to put this rule in with a default score higher than 1.0 as there are so many ways that SA can be launched/integrated. Perhaps it needs to be named KAM_DMARC_REJECT to make it obvious that it came from the KAM.cf and have a default score of 0.001? I have my own rule for DMARC_REJECT that is tied closely to the headers added by OpenDMARC which is going to be more reliable / less risky due to it being linked to the MTA as a milter. If SA is being run post MTA (i.e. inside Thunderbird) then any filtering can change the content to remove potentially bad attachments, add an "EXTERNAL" warning to the Subject or body, etc. which will break DKIM signing. -- David Jones
