Order of DKIM signing and spam scanning
Simon Wilson
simon at simonandkate.net
Mon Apr 19 12:03:55 CEST 2021
I run amavisd to do spamassassin scanning on outbound email. - Port
587 submission --> ORIGINATING/MYNETS dedicated amavisd port (10026)
--> Postfix 10025 for delivery --> Internet (OR local Cyrus if it's
local mail... read on...)
I also use amavisd to DKIM sign outbound email.
When I send email to a local domain (i.e. handled entirely on the
local network), amavisd is spam-scanning and *then* DKIM signing...
which means that the spam scan triggers KAM_DMARC rules if DMARC is
set to reject or quarantine:
- SPF fails: it's only ever internal, so SPF will never pass an
externally published SPF rule
- DKIM fails: the email is not yet DKIM-signed, so DKIM fails
- In SA this KAM rule fails:
meta KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&
__KAM_DMARC_POLICY_REJECT
describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on
the message and the domain has a DMARC reject policy
score KAM_DMARC_REJECT 3.0
I understand DKIM signing needs to be as late as possible - is there
an amavisd way to get around this challenge?
Simon.
--
Simon Wilson
M: 0400 12 11 16
More information about the amavis-users
mailing list