On Sun, Feb 08, 2026 at 11:18:37AM +0100, A.Schulze via users wrote: > I like to create SA rules to cover some or all following properties of a > message:
Note that generally core SA only works on text (headers or body) present in your mail. For anything else (i.e. using parts of that text to contact DNS and then verify stuff, like e.g. SPF, DKIM, ...), you have to either: - find a SA plugin already having required functionality (may be included in core distribution but needs to be enabled after you install its dependencies, or you might need to find it externally) - have your MTA or some of its companion programs add the required information as mail headers, which you can then use with regular header matches in SA - write your own plugin (in perl) > - RFC5322.From TLD: .de this is simple regex (you'll have to learn at least basics of regular expressions to be able to write SA rules) match, as there exist "From:" header in the mail. header RFC5322_FROM_DE From:addr =~ /\.de$/ score RFC5322_FROM_DE -2.0 > - RFC5321.MailFrom: mail.$domain That depends of where your MTA saves it. Might be e.g. `Return-Path:` or `X-Envelope-From` header etc. Then you'd use the same principle as above. But you'll have to look into MTA docs to know what it records and where. > - NS-Record: @cloudflare > - MX-Record: @cloudflare NS and MX records of *what*? > - DMARC-Policy: p=reject, rua -> @cloudflare > - SPF-Record: include: @cloudflare > - existence of mail.$domain > - SPF-Record for mail.$domain -> include @amazonses "perldoc Mail::SpamAssassin::Plugin::SPF" for what that plugin allows. What it doesn't have, you'll have to find elsewhere, or write plugin code yourself. For querying DNS records in general (e.g. for DMARC), see Mail::SpamAssassin::Plugin::AskDNS see e.g. https://www.mail-archive.com/[email protected]/msg95643.html for examples > - SMTP-Client-IP: $some @amazonses I don't understand this $ and @, but IP address of connecting peer (if that is what you mean by "SMTP-Client-IP") is usually recorded in some header. SA already parses some, so take a look in your /var/lib/spamassassin for examples, or feel free to write your own regular expressions to match them. > - DKIM-Signatures: 1k RSA by amazonses.com & 2k RSA by $domain > - DMARC-Result: pass you need to read the docs on how to enable plugins, then enable the DKIM plugin and read its docs. For DMARC, you can find the rules and their scores with e.g. % grep -ri DMARC /var/lib/spamassassin/ /usr/share/spamassassin/ /etc/spamassassin/ Also generally, pipe your message through "spamassassin -D -t" to debug and see what is being checked and whether it works. > Any advise? Yes, but you're asking for like an engineer-week of someoneone's time to set it all up for you based on your custom specifications. Also, lots of what you ask for looks like https://en.wikipedia.org/wiki/XY_problem e.g. there are things in SA by default like "whitelist_auth" that probably handle majority of your SPF&DKIM needs without resorting to manual rule writing and matching addresses (which you seem to be trying) But you really need to read the documentation first to know what is possible with existing SA code and rules, and then ask questions about things which arent't covered and are giving you real-life problems; by giving detailed instructions and samples why existing functionality isn't working for you (i.e. you're still getting spam, or your ham is being mistagged as spam) And only armed with that information does it make sense to suggest what you think might help your case, and ask people for help whether your attempted way to fix the issue is viable, and how it can be implemented if it is. But that is advanced usage, and it is instead quite likely that you don't really need majority of what you asked how to do. TL;DR: you would likely either need to invest some time into reading the existing documentation and examples, contract someone to do that work for you, or significantly reduce your requirements to only simple things already present and easily documented in SA (and then apply one of two solutions above). -- Opinions above are GNU-copylefted.
