amavis-dkim: How to discard mail with no or invalid signature

Matthias Weigel matthias.weigel at
Wed Jan 13 18:47:18 CET 2016

Hello Gerhard,

you could try a custom spamassassin rule.

These rules go into ~amavis/.spamassassin/user_prefs

There are already some SPF/DKIM rules in spamassassin. See file or of spamassassin.

# Then you create a rule to identify your domain:
header      MY_FROM          From =~ /
describe    MY_FROM   Sender is from

# Now you create a rule to combine them:
describe MY_FROM_WITHOUT_SPF  Sender is from my domain, but has no SPF

# or:
describe MY_FROM_WITHOUT_DKIM  Sender is from my domain, but has no DKIM

The high score tells amavis to quarantine such mails.

Please check, if the above criteria are really useful for you. Have a
look in /usr/share/spamassassin/ . Maybe some other criteria is more

Test before using this in production. See "debug-sa" parameter to amavis.

Best Regards


Am 13.01.2016 um 17:19 schrieb Gerhard Rappenecker:
> Hello all,
> thanks a lot for all answers.
> It seems I have to use SPF or DMARC to get what I want. Unfortunately these components are not integrated in the SuSE Linux software distribution. I'd like to use only the onboard resources postfix, amavis-new with DCIM, spamassassin because of automatic updating.
> Is there actually no way in amavis (or spamassassin) to reject/quaratine mails from a specific sender with no or an invalid DKIM signatur?
> Is there any way to reject those mails in postfix after amavis DKIM verifying?
> I've allready tried to check the headers in postfix for DKIMs "Authentication-Results", but "header_checks" take place before the DKIM verification and "smtp_header_checks" do not allow to cutoff the mail delivery.
> Hope anyone can help me
> best regards
> Gerhard
>>>> Maurizio Marini <maumar at> schrieb am Mittwoch, 13. Januar 2016 um
> 12:27 in Nachricht <20160113122726.221e5099.maumar at>:
>> On Wed, 13 Jan 2016 12:01:52 +0100
>> "Gerhard Rappenecker" <G.Rappenecker at> wrote:
>>> My intention is, to reject mail from outside with a faked sender adress
>>> of our own domain. In the past we were attacked by such mails to our
>>> mailinglists.
>> Hello Gerhard
>> I use spf with -all instead of ~all to do exactly what you want.
>> I do not received anymore spam with my domain in from address
>> I mean:
>> -m

More information about the amavis-users mailing list