Mail System Changes – WARNING!

     About a year ago we implemented opendkim, opendmark, and spf checking in order to reduce mail forgeries.  This did have the intended effects, although it’s not impossible to forge e-mails with these measures in place, it is difficult enough that it prevents the vast majority.

     However, DMARC protocol and to a lesser degree DKIM seems to be too difficult a concept for some mail providers to properly implement causing some legitimate mail to be rejected because it was marked to be checked by the sending sites DNS but they didn’t implement it correctly so it gets rejected.  This has particularly been an issue with one rather large cloud provider, but now we are seeing issues with NewEgg, a computer retailer I do quite a lot of business with and with GoDaddy.

     The existing system provides no effective means of whitelisting individually, and I do not wish to whitelist sites site-wide because then those sites can be forged.  However, I prefer to give the individual the ability to do so.

     Presently, opendmarc is implemented by opendmarc set to reject mode.  I intend to change this so that it only adds a header line to the mail and then add a rule to spamassassin to score the existence of a header indicating a failed dmarc with a really high value so that it will go to the spam folder unless you whitelist the site in your .spamassassin/user_prefs file OR you do something different in your own .procmailrc rules if you choose to override system rules.

     This way people savvy enough to recognize a forged e-mail can override the system wide filtering for themselves if they wish and those that can’t will at least have the option of examining their spam folders for missing mail and odds are good that if you’re expecting the e-mail it probably is legitimate.

     However, I will need to do this in two phases and there will be an interval during the process in which forged e-mail WILL go to your INBOX, therefore I caution you NOT to follow any links that say you need to provide authentication information for this site or any other site you do business with as they may be forged.  I will send a second notice when this is completed.

     During the first phase, I will change the configuration on OpenDmarc milter NOT to reject failed mail but only to add a header line.  Then once I find some examples of forged e-mail or create some, so I know what the headers look like, I will add a rule to spamassassin.  Between changing the configuration and adding the rule, forgeries will get through so be extra cautious with incoming mail until this has been completed.

Leave a Reply