pass failed messages from p=quarantine domains

Open source DMARC implementation

Status: Inactive

Brought to you by: cm-msk, gushi

This project can now be found here.

#138 pass failed messages from p=quarantine domains

Milestone: 1.3.1

Status: closed

Owner: Murray S. Kucherawy

Labels: None

Updated: 2017-03-04

Created: 2015-10-04

Creator: A. Schulze

Private: No

Problem: messages from domains announcing p=quarantaine that fail the DMARC check
stay in the MTA queue until administrative interventions.

Marcos Moraes suggested a patch to let such messages pass even if "rejectfailures: yes"
That enables the administrator to configure later A-R handling
see http://www.trusteddomain.org/pipermail/opendmarc-dev/2015-July/000239.html

There where a suggestion from Scott K regarding the name of the config option.
Somehow I'm also not very comfortable with the name, but I've no better suggestion..

Marco named it "HoldQuarantinedMessages" with default "false"
That do not require an administrator to all any additional configuration because the default
is exaclty what an admin may want: "not hold Messages the otherwise would be quarantined"

Andreas

Discussion

Marco Favero - 2016-01-07

Hello,
if RejectFailures=false an header which says what to do should be very useful.

Now the header is
Authentication-Results: host; dmarc=fail header.from=example.com

An useful header could be:
Authentication-Results: host; dmarc=fail header.from=example.com policy=quarantine
Authentication-Results: host; dmarc=fail header.from=example.com policy=reject

In this way a filter that read Authentication-Results could take different policy based actions.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

A. Schulze - 2016-01-07

Hello,

that's a good suggestion. I'm unsure if https://tools.ietf.org/html/rfc7601 allow to include the "policy=" information.
That has to be checked.

An other point I like to see the policy informaion is the Failure Report I usually send to myself.

Feedback-Type: auth-failure
Version: 1
User-Agent: OpenDMARC-Filter/1.3.1
Auth-Failure: dmarc
Authentication-Results: idvmailin03.datev.de; dmarc=fail header.from=barry-callebaut.com
Original-Envelope-Id: 3pbZVd1QFNz699W
Original-Mail-From:

WISH:
X-DAMAC-POLICY=...

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marco Favero - 2016-04-11

Look at gmail:

Authentication-Results: mx.google.com; spf=pass [...] dkim=pass header.i=@accounts.google.com; dmarc=pass (p=REJECT dis=NONE) header.from=accounts.google.com

I don't know what is "dis". Anyway they include policy in header.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Juri Haberland - 2016-05-24

"dis" is "disposition" (what Google did with the message).

A patch to modify the AR header can be found here: http://www.trusteddomain.org/pipermail/opendmarc-dev/2016-May/000256.html

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Murray S. Kucherawy - 2016-07-19

Variant of this patch applied.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Murray S. Kucherawy - 2016-12-18

assigned_to: Murray S. Kucherawy
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Murray S. Kucherawy - 2017-03-04

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Murray S. Kucherawy - 2017-03-04

Fixed in 1.3.2.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.