Reject mail by SPF/DKIM

Hi i want to ask how can i set the rspam filter in a way that the email not pass spf or dkim signature or both are considered as spam, thanks

In Rspamd UI, under the Symbols section you can increase the penalty score related to SPF and DKIM failures.

:no_good_woman: Disclaimer: I think changing the default weights is a really bad idea unless you really know what they do.

See also

Yes but if i receive email spoofing i receive in the inbox folder than the junk folder and is not good for security as you know, if the rspam filter not recognize this type of email and move to spam folder, if is not recommended to change the default value, what is the best approach to protect against phishing or spoofing emails?

I think there is no correct answer to your question.

To revert the change in a second time, take note of original weights, or edit the /var/lib/rspamd/rspamd_dynamic map from Rspamd UI Configuration page.

Hi i send an email that has a score 6.37/20 in theory i would receive this in spam folder but i receive in inbox folder this is the screenshot of rspamd:

The “add header” means it is marked as spam. Check the Mail > Settings > Mailboxes page to see if it should be moved to the Junk folder or not.

Messages marked as spam (see Filter) can be automatically moved into the Junk folder by enabling the option Move spam to junk folder.

Additional information about the message delivery is written into the App’s log, visible in System Logs page.

Hi the option you mentioned as already enabled. This is the systemlog of mail app about that message:

2024-12-10T16:03:47+01:00 [1:mail1:rspamd] (normal) <5260f9>; task; rspamd_spf_maybe_return: stored SPF record for xxxxxxxxxx (0x1918244bb69df) in LRU cache for 3600 seconds, 39/2000 elements in the cache
2024-12-10T16:03:48+01:00 [1:mail1:rspamd] (normal) <5260f9>; task; rspamd_task_write_log: id: <20241210150338.CFDC21B65@aaaaaaaa.bb>, qid: <66E5916803A8>, ip: xxxxxxxxxxxx, from: <emailaddress@xxxxxxxxxx>, (default: F (no action): [5.24/20.00] [MISSING_MIME_VERSION(2.00){},DMARC_POLICY_QUARANTINE(1.50){xxxxxxxxxx : No valid SPF, No valid DKIM;quarantine;},R_SPF_FAIL(1.00){-all;},SUBJ_ALL_CAPS(0.75){10;},MIME_GOOD(-0.10){text/plain;},ONCE_RECEIVED(0.10){},MX_GOOD(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:64022, ipnet:xxxxxxxxxxxx, country:HK;},FREEMAIL_ENVFROM(0.00){xxxxxxxxxx;},FREEMAIL_FROM(0.00){xxxxxxxxxx;},FREEMAIL_REPLYTO(0.00){xxxxxxxxxx;},FROM_EQ_ENVFROM(0.00){},FROM_HAS_DN(0.00){},HAS_REPLYTO(0.00){emailaddress@xxxxxxxxxx;},HAS_X_PRIO_THREE(0.00){3;},MIME_TRACE(0.00){0:+;},MISSING_XM_UA(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ONE(0.00){1;},RCVD_TLS_LAST(0.00){},REPLYTO_ADDR_EQ_FROM(0.00){},R_DKIM_NA(0.00){},SINGLE_SHORT_PART(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 451, time: 807.669ms, dns req: 27, digest: <a6005be2c88a03182faee92640a2c8c4>, rcpts: <xxxxxxxxx@xxxxxxxxx.it>, mime_rcpts: <xxxxxxxxx@xxxxxxxxx.it>
2024-12-10T16:03:48+01:00 [1:mail1:postfix/qmgr] 66E5916803A8: from=<emailaddress@xxxxxxxxxx>, size=858, nrcpt=1 (queue active)
2024-12-10T16:03:48+01:00 [1:mail1:dovecot] lmtp(xxxxxxxxxx)<25471><38dyHFRYWGd/YwAA5BWowA>: save: box=INBOX, uid=1017, msgid=<20241210150338.CFDC21B65@aaaaaaaa.bb>, from="xxxxxxxxxxxx" <emailaddress@xxxxxxxxxx>, subject=TEST EMAIL, flags=()
2024-12-10T16:03:49+01:00 [1:mail1:dovecot] imap(xxxxxxxxxx)<23809><t8oIceoo1otdLnS3>: flag_change: box=INBOX, uid=1017, msgid=<20241210150338.CFDC21B65@aaaaaaaa.bb>, from="xxxxxxxxxxxx" <emailaddress@xxxxxxxxxx>, subject=TEST EMAIL, flags=(nonjunk)
2024-12-10T16:03:51+01:00 [1:mail1:dovecot] imap(xxxxxxxxxx)<23809><t8oIceoo1otdLnS3>: flag_change: box=INBOX, uid=1017, msgid=<20241210150338.CFDC21B65@aaaaaaaa.bb>, from="xxxxxxxxxxxx" <emailaddress@xxxxxxxxxx>, subject=TEST EMAIL, flags=(\Seen nonjunk)

This appears to be a different message that scored 5.24. Message from screenshot was 6.37.

Just talking from my lack of knowledge…

So, the normal process would be: rspamd checks the message, sets a score, if the score is over the spam threshold, adds spam headers to the message, dovecot IMAP sieve reads the message headers and if X-Spam is set to yes (and the mail account is subscribed to junk folder, as is by default) moves the message into junk. The mail client and dovecot can set some other flag(s) or IMAP Keywoards (seen, nonjunk, junk…).

No bypass rules set (I guess… as the message is being processed by rspamd).

Are DKIM/SPF checks treated differently? rspamd can increase spam score for fake ones or use some policy

Maybe useful to share the mail headers of the e-mail message (to be able to see which headers and flags where added: X-Spam, X-Spam-Flag, X-Spam-Status…)

Don’t know if searching by the message id in the log can give other clues on how it was processed, or the reported log excerpt is all there is to it.

2 Likes

Hi
This is another fake email send and i receive that in the inbox and not in the junk folder this is the header: (btw the score in only 2.46/20 so in not overpass threshold of 5 for add the header “spam” but this is fake email.

X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <xxxxxxxxxxxx.90@gmail.com>
Delivered-To: xxxxxxxxxxxx@ad.xxxxxxxxxxxxxxxxxx.it
Received: from mail.xxxxxxxxxxxxxxxxxx.it
	by ns01.xxxxxxxxxxxxxxxxxx.it with LMTP
	id iI5kIP/ZX2etxgEA5BWowA
	(envelope-from <xxxxxxxxxxxx.90@gmail.com>)
	for <xxxxxxxxxxxx@ad.xxxxxxxxxxxxxxxxxx.it>; Mon, 16 Dec 2024 07:42:55 +0000
Received: from xxxx.cz (xxxx.cz [xxxx.247])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.xxxxxxxxxxxxxxxxxx.it (Postfix) with ESMTPS id 9555216801EF
	for <xxxxxxxxxxxx@xxxxxxxxxxxxxxxxxx.it>; Mon, 16 Dec 2024 07:42:51 +0000 (UTC)
Received: by xxxx.cz (Postfix, from userid 33)
	id 5B6911880; Mon, 16 Dec 2024 08:42:43 +0100 (CET)
To: xxxxxxxxxxxx@xxxxxxxxxxxxxxxxxx.it
Subject: PROVA
From: "xxxxxxxxxxxx" <xxxxxxxxxxxx.90@gmail.com>
X-Priority: 3 (Normal)
Importance: Normal
Errors-To: xxxxxxxxxxxx.90@gmail.com
Reply-To: xxxxxxxxxxxx.90@gmail.com
Content-Type: text/plain; charset=utf-8
Message-Id: <20241216074243.5B6911880@xxxx.cz>
Date: Mon, 16 Dec 2024 08:42:43 +0100 (CET)
X-Spamd-Result: default: False [2.47 / 20.00];
	MISSING_MIME_VERSION(2.00)[];
	SUBJ_ALL_CAPS(0.38)[5];
	DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none];
	MIME_GOOD(-0.10)[text/plain];
	ONCE_RECEIVED(0.10)[];
	MX_GOOD(-0.01)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	ARC_NA(0.00)[];
	FREEMAIL_REPLYTO(0.00)[gmail.com];
	TAGGED_FROM(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	MIME_TRACE(0.00)[0:+];
	HAS_X_PRIO_THREE(0.00)[3];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_DN_NONE(0.00)[];
	REPLYTO_ADDR_EQ_FROM(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	R_SPF_SOFTFAIL(0.00)[~all];
	SINGLE_SHORT_PART(0.00)[];
	R_DKIM_NA(0.00)[];
	RCVD_COUNT_ONE(0.00)[1];
	ASN(0.00)[asn:64022, ipnet:xxxx.0/24, country:HK];
	HAS_REPLYTO(0.00)[xxxxxxxxxxxx.90@gmail.com]
X-Rspamd-Action: no action
X-Rspamd-Server: ns01
X-Rspamd-Flag-Threshold: 6
X-Rspamd-Queue-Id: 9555216801EF

TEST EMAIL