From: RW <rwmailli...@googlemail.com> >On Fri, 5 May 2017 22:49:43 +0000 >David Jones wrote:
>> From: RW <rwmailli...@googlemail.com> >> >> >On Fri, 5 May 2017 19:56:27 +0000 >> >David Jones wrote: >> >> >> >I don't seen why anyone one would want a form of whitelisting >> >> >where a DKIM pass on a trusted domain would be ignored if there's >> >> >no SPF pass. >> >> >> >> Correct. >> >> >I don't know why you write "correct" and then go on to write >> >something contrary. >> >> It's not a contradiction. See below. >If you think it isn't you have read it correctly. >> >>This is why I only add envelope-from domains to my >> >> whitelist_auth list that is currently 2,595 entries. >> >> >> >That's not a good idea. When you don't feel you can just put a >> >"header from" domain into whitelist_auth, you should use one or >> >both of whitelist_from_dkim and whitelist_from_spf instead. >> >> Both of those are effectively the same when you carefully add only >> envelope-from domains with specific patterns. >There are only two possibilities either the header and envelope domains >are the same in which case it makes no difference, or they are not, >in which case you are giving up on DKIM and relying only on SPF. I understand the difference in whitelist_from_dkim and whitelist_from_spf. When I did some analysis on scoring and the envelope-from and header-from, some patterns jumped out. Since my Postfix postscreen does heavy checking on the envelope-from with DNS and RBL checks, what gets through to SA is going to be either whitelisted major providers like Google, Yahoo, Microsoft, etc. or senders with good reputation. I add certain envelope-from patterns that are not from domains with user mailboxes that can be compromised. This generally means I am only adding system-generated email domains that have a valid unsubscribe process. If these system-generated email domains happen to align with DKIM that is OK. From what I can tell, the whitelist_from_dkim only works on DKIM_VALID_AU hits which means the DKIM signature domain aligns with the header-from. Based on my analysis of my email, if email has passed through my Postfix postscreen scrutiny based on the envelope- from and hits DKIM_VALID_AU _with a good unsubscribe_, then that domain is fine to whitelist_auth. As a general rule of thumb, I am not adding any "primary" domains like "example.com". If I see system-generated emails from "*.example.com" that consistently score very low then I check them for certain rule hits indicating very good reputation or check for a valid unsubscribe link, then I add a "whitelist_auth *.example.com" entry. Now if someone registers the examp1e.com domain and tries to send an identical email to phish, then it has to get past many reputation checks to get to SA where content checks will catch it. I can train the examp1e.com emails as spam and BAYES will score high to block it while the real example.com goes through fine.
