Email delivered after failing DMARC

Hello crew,

I have a simple 1 domain email server hosted on NS 7.9 using SOGo as a front end. Recently, I’ve added an externally hosted website that has forms being sent out via email. Before I tested the final settings I wanted to confirm that my end server (the one hosting example.com) was honoring my current DMARC policy of:

v=DMARC1; p=reject; sp=reject; rua=mailto:aggrep@example.com; aspf=s; adkim=s; pct=100

The website is sending through wpengine.com & I have not added them to my SPF/DKIM records. With the strict enforcement of aspf=s & adkim=s my NS server is accepting inbound email from noreply@example.com to contact@example.com even though it is failing the DMARC policy.

I expected for the NS server to reject the incoming email because it came from an unauthorized source. Instead the email is passed along without any issue right into the inbox.

Sort by:

MagnitudeValueName DMARC_POLICY_REJECT

DMARC reject policy
(2) [example.com : SPF not aligned (strict), DKIM not aligned (strict),reject]
MX_INVALID (0.5) []
FORGED_SENDER (0.3) [noreply@example.com,noreply=example.com@mail1.wpengine.com]
R_SPF_ALLOW (-0.2) [+ip4:23.83.208.0/20]
MIME_HTML_ONLY (0.2)
R_DKIM_ALLOW (-0.2) [mail1.wpengine.com:s=mx]
RCVD_COUNT_FIVE (0) [6]
HAS_PHPMAILER_SIG (0)
RCVD_VIA_SMTP_AUTH (0)
RCVD_IN_DNSWL_NONE (0) [23.83.214.98:from]
RCPT_COUNT_THREE (0) [3]
MIME_TRACE (0) [0:~]
FREEMAIL_TO (0) [gmail.com,live.com,example.com]
RCVD_TLS_LAST (0)
TO_MATCH_ENVRCPT_SOME (0)
FROM_NEQ_ENVFROM (0) [noreply@example.com,noreply=example.com@mail1.wpengine.com]
DKIM_TRACE (0) [mail1.wpengine.com:+]
FROM_HAS_DN (0)
TO_DN_NONE (0)
MID_RHS_MATCH_FROM (0)
HAS_X_POS (0)
ASN (0) [asn:36483, ipnet:23.83.208.0/21, country:CA]

Hi @royceb, took me a long time to figure-out how spamd works (and still not over confident so could be wrong here)

rspamd keeps a score per “symbol” if it bad it’s add pionts if it’s good it subtracts points.

Looking at my default configuration over here DMARC reject policy is little bit bad and adds 2 points:

Which is well below the thresholds over here: Spam flag threshold: 6 , Deny message spam threshold 15.

Hope this helps…

Thank you for the reply, I appreciate it. With all of the different RFC regarding email I’m in the same bucket as many. From a technical view your answer makes sense on how rspamd is behaving - DMARC fails so add 2 points to the overall spam score.

My question is does this make sense? Shouldn’t a failure of DMARC with a specified reject declaration be treated as automatic spam that get’s scored 15 (or whatever threshold) or above, if not what is the point of DMARC beyond the reporting functionality?

Added question, am I making bad assumptions of how the default rspamd implementation should be and this is a setting that needs to be calibrated for best results?

1 Like