>Thanks for that, I will do that, another thing that comes to my mind:
>if my mail server sign every single e-mail with DKIM, that e-mail
>should be signed even if it's redistributed by mailing list daemon
>or not? I see my own e-mails here and e-mails of some other people
>in this list to be DKIM signed.
If this passed DKIM checks, DKIM_VALID, then it should not hit
DKIM_VALID_AU in that case. Read up on whitelist_auth related
to SPF and DKIM rule hits.
>So isn't there a way to get either postfix or SA to reject or flag emails
>that are sent specifically "from my domain" but aren't signed with
>DKIM? I even think that it's possible to set a DMARC policy to require
>emails from a domain to be signed.
"From my domain" needs to be defined. I hope you know the
difference from the envelope-from and the visible From: header.
Most spammers are going to spoof the visible From: header but
the envelope-from will be different and can be blocked by good
DBLs like Invaluement and regular IP-based RBLs. The envelope-
from with your own domain can be blocked normally at the MTA
level. Your mail flow for legit senders of your domain should be
authenticating to internal or trusted mail servers that are allowed
to relay at the MTA level by IP or network before the check of the
envelope-from domain is checked. Make sure you know the
order of checks performed by your MTA.
I don't have any specific protection in place for the dozens of
domains that I filter for and we don't have a spoofing problem
with all of the MTA checks in place and a fairly well trained
>This would block forged e-mails but would not block e-mails from
>Isn't it somehow possible to tell SA to score-up these mails if they
>fail this DMARC policy?
I have not needed to do any special scoring yet of DMARC failures
with the other MTA checks in place. Get your MTA tuned up a bit
and see if this solves the problem for you. This could take some
research, learning, and time to perfect. If you use Postfix, there
have been some recent postings on this mailing list related to
senderscore.org and postscreen that will help you get a good