Warn about DKIM not existing or failing - on received emails
Hello,
I've just tested sending a fake email to my inbox, and while I see that SpamAssassin detected that SPF didn't match, it didn't give enough score (min 5.0 in my setup) to show ***SPAM*** on the subject.
Basically, unless I look at the headers of every email I receive, there is no way to know straight away that an email was spoofed. My Outlook will not warn about that either.
Is there any easy way to add a prefix to the Subject, just like SpamAssassin does, when DKIM doesn't exist, or DKIM failed verification, or sender doesn't match SPF?
Thank you.
-
Hello, You could manually add SPF rules in the SpamAssassin configuration file to enable more aggressive scoring on SPF failures. The global SpamAssassin configuration file on cPanel servers is located at: /etc/mail/spamassassin/local.cf Here's an example of how SPF rules are implemented when "Enable the Apache SpamAssassin" ruleset that cPanel uses on cpanel.net" is enabled under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor": # # SPF failures and information # ifplugin Mail::SpamAssassin::Plugin::SPF score SPF_NONE 0 score SPF_HELO_NONE 0 score SPF_PASS -0.001 score SPF_HELO_PASS -0.001 score SPF_FAIL 4.0 score SPF_HELO_FAIL 4.0 score SPF_HELO_NEUTRAL 0 score SPF_HELO_SOFTFAIL 1.5 score SPF_NEUTRAL 0 score SPF_SOFTFAIL 1.5 endif
Thus, you'd want to increase the score value on "score SPF_SOFTFAIL 1.5" to something higher than 1.5. Alternatively, the following post offers a workaround if you'd like to enable SPF checking directly in Exim so that it rejects messages that fail SPF verification: SPF Verification Thank you.0 -
Thank you very much Michael - that's definitely helpful! However, I would be very interested in doing something similar for DKIM empty or failing. Does SpamAssassin support it? Or do I need to change exim.conf, maybe checking for the value of $dkim_verify_status? Are there any already-tested ways of doing this? (note that I still want to receive the email - just want to add some prefix on the subject) If I change exim.conf, will cPanel overwrite it at some point? Very kind regards! 0 -
However, I would be very interested in doing something similar for DKIM empty or failing.
For DKIM, the following options are available under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor": Allow DKIM verification for incoming messages Reject DKIM failures Thank you.0 -
Thank you. What exacly does "Allow DKIM verification for incoming messages" do when the verification fails? Note that I don't want to reject them (so the second option will remain disabled), but I want to add a prefix to the subject instead. Very kind regards. 0 -
Hello, The Allow DKIM verification for incoming messages option enables scanning for DKIM records with Exim, so the information will appear in the message header but Exim won't actually reject email. Additionally, there are no features to automatically rewrite the subject for DKIM failures, so you may also want to review the following SpamAssassin document about how you could scan for DKIM and mark messages as SPAM: Mail::SpamAssassin::Plugin::DKIM - perform DKIM verification tests Thank you. 0 -
I see. Thank you. My "Allow DKIM verification for incoming messages" option is disabled in WHM. However, SpamAssassin must still be verifying DKIM anyway, as I get the following rules when messages do succeed in DKIM: DKIM_VALID_AU DKIM_SIGNED DKIM_VALID (which is good) But the Fake test message I sent only has the following: SPF_SOFTFAIL SPF_HELO_PASS It doesn't have anything about DKIM not existing or failing. Just like you suggested I could increase the score of SPF_SOFTFAIL to auto-mark as SPAM, shouldn't SpamAssassin also be adding points (or at least have a rule for that) when there is no DKIM at all? Thank you. 0 -
Hello, SpamAssassin uses it's own method of checking for DKIM, as I understand. The KAM ruleset is enabled by default and uses some DKIM rules: /etc/mail/spamassassin/KAM.cf
You'd need to create additional custom rules if you wanted to add additional scoring or checking. Or, since that's unsupported, you may also want to consider creating a feature request to have DKIM verification handled through SpamAssassin natively: Submit A Feature RequestBut the Fake test message I sent only has the following:
Are you sending the message from the cPanel server or a remote mail server? Note you won't see any actual DKIM information in the message header unless Allow DKIM verification for incoming messages is enabled. Thank you.0 -
Are you sending the message from the cPanel server or a remote mail server?
I use this website to send the email. I wanted to make sure I do it through and external server/service. - Removed - It sends no DKIM (as I was expecting anyway). Thank you. I'll have a look at your tips. I'll create a feature request as well.0 -
Perfect! I created my own .cf file that will raise the score of SPF_FAIL (and SoftFail), and check whether DKIM is invalid or not exist. I tested another email from the website above and got the exact result I wanted!! :) Also sent a proper email from a Gmail account and that wasn't marked as SPAM. Thank you very much for your help, Michael. 0
Please sign in to leave a comment.
Comments
9 comments