[Rspamd-Users] SPF, DKIM and DMARC policy

Andy Kuhlen tamo at mandogo.de
Sun Jun 1 21:50:43 UTC 2025 

Hi Ged.,

thanks for your reply. 

Am 01.06.2025 um 10:25 schrieb G.W. Haywood:
> Hi there,
>
> On Sat, 31 May 2025, Andy Kuhlen via Users wrote:
>
>> ...would like to reject mails where the check shows the following
>> results:
>>
>> ARC-Authentication-Results: i=2;
>>     axe.mydomain.de;
>>     dkim=none ("invalid DKIM record") header.d=choibaidoithuong.com
>> header.s=zoho header.b=RI8h0T1U;
>>     dmarc=fail reason="No valid SPF" header.from=choibaidoithuong.com
>> (policy=none);
>>     arc=pass ("us.zohomail360.com:s=zohoarc:i=1");
>>     spf=none (axe.mydomain.de: domain of contact at choibaidoithuong.com
>> has no SPF policy when checking 136.143.188.167)
>> smtp.mailfrom=contact at choibaidoithuong.com
>
> Does this help?
>
> https://groups.google.com/g/rspamd/c/oyGbTQpp_pk 
>
I'm not sure I would call the link helpful. I've already come across
this link. Had adopted the solution on for my configuration, but can't
really tell if the rule set up did what it was supposed to do. I'll have
to research that again in Redis.

#cat local.d/force_actions.conf

rules {
SJL_SPF-FAIL-REJECT {
action = "reject";
expression = "R_SPF_FAIL";
message = "Rejected SPF-FAIL"; }
}
>> I have set up a reject policy for DMARC in the DNS settings for my
>> domain. Now I would also like to set a reject policy for Rspamd.
>> Does that make sense?
>
> It does to me. ;) 

That's good to know. ;-)

>
>> How should I handle mails where all checks fail? What is
>> reasonable/practicable?
>
> My personal take on it is probably not what a lot of people would call
> reasonable.  Around here, anything which fails SPF checks goes in the
> bin without further consideration. 

It makes sense to me too, although of course it seems to be
controversial as to what the ‘right’ approach is.


>> Unfortunately, the documentation of the SPF, DKIM and DMARC modules
>> of Rspamd is not very informative in this regard. Does anyone have
>> any advice / guidance?
>
> I treat the rspamd documentation as a last resort.  Generally I'll use
> a Google-based search to find out what other people have done and then
> probably look at the 'official' documentation afterwards - to see if I
> can make any sense of it using what I have learned elsewhere.
>
> One of the best resources I've found is
>
> https://groups.google.com/g/rspamd/c/oyGbTQpp_pk
>
> but it's rather dated and by no means complete. 
>

That's true, but if it's still valid and relevant, why not? Even if it's
been a while since it was discussed. The Rspamd documentation is really
poor and leaves a lot to be desired. In many places it is simply
incomplete.

I recognised your ‘73’ and was very pleased to see it. My father was a
ham radio operator. That brought back memories. Just by the way. :-)

73 from me too,

Andy

More information about the Users mailing list