>Thanks for that, I will do that, another thing that comes to my mind:

>if my mail server sign every single e-mail with DKIM, that e-mail

>should be signed even if it's redistributed by mailing list daemon

>or not? I see my own e-mails here and e-mails of some other people

>in this list to be DKIM signed.

If this passed DKIM checks, DKIM_VALID, then it should not hit

DKIM_VALID_AU in that case.  Read up on whitelist_auth related

to SPF and DKIM rule hits.

>So isn't there a way to get either postfix or SA to reject or flag emails

>that are sent specifically "from my domain" but aren't signed with

>DKIM? I even think that it's possible to set a DMARC policy to require

>emails from a domain to be signed.

"From my domain" needs to be defined.  I hope you know the

difference from the envelope-from and the visible From: header.

Most spammers are going to spoof the visible From: header but

the envelope-from will be different and can be blocked by good

DBLs like Invaluement and regular IP-based RBLs.  The envelope-

from with your own domain can be blocked normally at the MTA

level.  Your mail flow for legit senders of your domain should be

authenticating to internal or trusted mail servers that are allowed

to relay at the MTA level by IP or network before the check of the

envelope-from domain is checked.  Make sure you know the

order of checks performed by your MTA.

I don't have any specific protection in place for the dozens of

domains that I filter for and we don't have a spoofing problem

with all of the MTA checks in place and a fairly well trained

Bayes database.

>This would block forged e-mails but would not block e-mails from

>mailing lists.

>Isn't it somehow possible to tell SA to score-up these mails if they

>fail this DMARC policy?

I have not needed to do any special scoring yet of DMARC failures

with the other MTA checks in place.  Get your MTA tuned up a bit

and see if this solves the problem for you.  This could take some

research, learning, and time to perfect.  If you use Postfix, there

have been some recent postings on this mailing list related to

senderscore.org and postscreen that will help you get a good

head start.

Reply via email to