#138 pass failed messages from p=quarantine domains

A. Schulze

Problem: messages from domains announcing p=quarantaine that fail the DMARC check
stay in the MTA queue until administrative interventions.

Marcos Moraes suggested a patch to let such messages pass even if "rejectfailures: yes"
That enables the administrator to configure later A-R handling
see http://www.trusteddomain.org/pipermail/opendmarc-dev/2015-July/000239.html

There where a suggestion from Scott K regarding the name of the config option.
Somehow I'm also not very comfortable with the name, but I've no better suggestion..

Marco named it "HoldQuarantinedMessages" with default "false"
That do not require an administrator to all any additional configuration because the default
is exaclty what an admin may want: "not hold Messages the otherwise would be quarantined"



  • Marco Favero

    Marco Favero - 2016-01-07

    if RejectFailures=false an header which says what to do should be very useful.

    Now the header is
    Authentication-Results: host; dmarc=fail header.from=example.com

    An useful header could be:
    Authentication-Results: host; dmarc=fail header.from=example.com policy=quarantine
    Authentication-Results: host; dmarc=fail header.from=example.com policy=reject

    In this way a filter that read Authentication-Results could take different policy based actions.

  • A. Schulze

    A. Schulze - 2016-01-07


    that's a good suggestion. I'm unsure if https://tools.ietf.org/html/rfc7601 allow to include the "policy=" information.
    That has to be checked.

    An other point I like to see the policy informaion is the Failure Report I usually send to myself.

    Feedback-Type: auth-failure
    Version: 1
    User-Agent: OpenDMARC-Filter/1.3.1
    Auth-Failure: dmarc
    Authentication-Results: idvmailin03.datev.de; dmarc=fail header.from=barry-callebaut.com
    Original-Envelope-Id: 3pbZVd1QFNz699W


  • Marco Favero

    Marco Favero - 2016-04-11

    Look at gmail:

    Authentication-Results: mx.google.com;
           spf=pass [...]
           dkim=pass header.i=@accounts.google.com;
           dmarc=pass (p=REJECT dis=NONE) header.from=accounts.google.com

    I don't know what is "dis". Anyway they include policy in header.

  • Murray S. Kucherawy

    Variant of this patch applied.

  • Murray S. Kucherawy

    • assigned_to: Murray S. Kucherawy

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks