Hi, All the way back in 2016, RW posted these rules on pastebin for DMARC, before it was part of SA proper: https://pastebin.com/gr41CvCc
Is this effectively what's been implemented in functions in the latest SA? The scores from the above are a lot more aggressive than what's currently in SA 50_rules - if DMARC fails and it instructs to quarantine, isn't that what it should do, and not just add on a few points? score DMARC_REJECT 0.001 1.797 0.001 1.797 # n=0 n=2 score DMARC_QUAR 0.001 1.198 0.001 1.198 # n=0 n=2 score DMARC_NONE 0.001 0.898 0.001 0.898 # n=0 n=2 This became an issue for me when I received an email from ny.frb.org. Because the email hit BAYES_00, the DMARC rule only added 0.1 points. It also appeared that the email passed SPF, so I'm really not sure how it even failed DMARC. X-Envelope-From: <frb.advicemail...@ny.frb.org>> ... X-Spam-Status: Yes, score=8.613 tag=-200 tag2=5 kill=5 tests=[BAYES_00=-1.9, DMARC_FAIL_REJECT=5.5, DMARC_REJECT=0.1, DMARC_REJ_NO_DKIM=1, FORGED_SPF_HELO=1, KAM_DMARC_REJECT=1, KAM_DMARC_STATUS=0.01, KAM_LAZY_DOMAIN_SECURITY=1, RELAYCOUNTRY_US=0.01, SPF_HELO_PASS=-0.001, TXREP=0.874, T_DMARC_POLICY_REJECT=0.01, T_DMARC_TESTS_FAIL=0.01] autolearn=disabled X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 0.0 T_DMARC_POLICY_REJECT No description available. * 1.0 DMARC_REJ_NO_DKIM MARC policy is reject without any DKIM signatures * 0.0 KAM_DMARC_STATUS Test Rule for DKIM or SPF Failure with Strict * Alignment * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 0.0 RELAYCOUNTRY_US Relayed through United States * 1.0 KAM_LAZY_DOMAIN_SECURITY Sending domain does not have any * anti-forgery methods * 1.0 FORGED_SPF_HELO No description available. * 5.5 DMARC_FAIL_REJECT DMARC validation failed and policy is to reject * 0.0 T_DMARC_TESTS_FAIL No description available. * 1.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message * and the domain has a DMARC reject policy * 0.1 DMARC_REJECT DMARC reject policy * 0.9 TXREP TXREP: Score normalizing based on sender's reputation ... X-Spam-RelaysUntrusted: [ ip=199.30.234.79 rdns=spfdal-b.zixsmbhosted.com The 199.30.234.79 IP is in the SPF record: $ dig txt ny.frb.org|grep v=spf1 ny.frb.org. 3593 IN TXT "v=spf1 ip4:199.169.200.4 ip4:199.169.204.4 ip4:199.169.240.69 ip4:199.169.208.69 ip4:199.169.174.2 ip4:170.209.35.2 ip4:199.30.234.56/29 ip4:74.203.184.208/30 ip4: 199.30.234.64/26 ip4:199.30.234.192/27 ip4:74.203.184.32/27 ip4: 68.142.184.144/28 ip4:68.142" ".185.0/25 ip4:209.190.248.144/28 ip4:199.169.200.5 ip4:152.70.150.118 ip4:129.213.11.79 exists:%{i}. spf.frb.iphmx.com include:_spf.qualtrics.com include:service.govdelivery.com include:amazonses.com ~all" There seems to be a lot wrong here. I'd appreciate some pointers on what's going on. Of course I realize it's my choice to add the other DMARC rules and scores on top of the default, but the default scores don't make sense to me.