[Rspamd-Users] Spam with valid SPF, DKIM, DMARC

G.W. Haywood rspamd at jubileegroup.co.uk
Sat Feb 14 12:20:52 UTC 2026 

Hi there,

On Sat, 14 Feb 2026, Alexander Vowinkel wrote:

> I am having trouble with spam that comes in with valid SPF, DKIM and DMARC.

Welcome ... to the real world.

> I use the default setup of rspamd that comes with docker-mailserver,
> which includes some DNSBLs.

Which DNSBLs?  Here are those we use at present, with the approximate
percentage of hits for known spam *here* for the first two weeks of
February 2026:

<1   db.wpbl.info
<1   ubl.unsubscore.com
  5   psbl.surriel.com
  5   bl.scientificspam.net
  7   rbl.interserver.net
  8   dnsbl-1.uceprotect.net
  8   bl.fmb.la
  8   dbl.dq.spamhaus.net
  8   truncate.gbudb.net
  8   bl.0spam.org
  9   all.spamrats.com
12   bl.spamcop.net
13   bl.mailspike.net
15   zen.dq.spamhaus.net
23   bad.virusfree.cz
40   dnsbl.spfbl.net

In this list I have NOT filtered the known spam for its SPF/DKIM
features, so something like dnsbl.spfbl.net won't help you with your
particular problem even though it scores well in my table.  Obviously
your spam profile will be different from ours, so this can only be a
*very* rough guide to the results which someone else with a different
spam profile might expect/hope to see.

We give each DNSBL an integer score based on our experience with it.
The score is in the range 1 to 3.  For each incoming mail connection
the scores are added together.  If the total is more than 2.5 then the
message is tempfailed and will eventually be reviewed manually.  This
works for us but (a) this is low volume and (b) it still doesn't stop
spam from the likes of AS8075 or AS15169, who routinely send properly
signed messages with valid SPF from scammers who use their services.
They get their own special treatment. :)

> Additionally I am using the new spamhaus DQS. The spam still ends up
> with negative scores, because the blocklists are not listing it.

I'm not sure how new the DQS service is.  It won't perform miracles -
none of them will, as you will see from the table.

> Does anyone have similar problems?

To a first approximation, everyone has similar problems.

> Possibly already solved it?

It is not a problem that can be solved.  With sufficient effort its
effects can be reduced, but it's a lot of effort, and it's ongoing.

Look at the sizes of the files in our Yara rules, and the timestamps:

8<--------------------------------------------------------------------------
-rw-r--r-- 1 ged ged 15897 Sep  2 10:42 IP_list.yar
-rw-r--r-- 1 ged ged    26 Jan  7  2025 CONNECT_Rules.yar
-rw-r--r-- 1 ged ged   162 May  6  2025 01_CONNECT/connect_tempfail
-rw-r--r-- 1 ged ged    92 Aug  4  2025 01_CONNECT/connect_reject
-rw-r--r-- 1 ged ged  4154 Sep 23 11:41 02_HELO/EHLO_Rules
-rw-r--r-- 1 ged ged   146 Aug  9  2025 02_HELO/helo_tempfail
-rw-r--r-- 1 ged ged   114 Aug 13  2025 02_HELO/helo_reject
-rw-r--r-- 1 ged ged   263 Apr 16  2025 ENVFROM_Rules.yar
-rw-r--r-- 1 ged ged   333 Oct  1 16:11 03_ENVFROM/envfrom_AUTOREPORT
-rw-r--r-- 1 ged ged   132 Jul 12  2024 03_ENVFROM/envfrom_noreport
-rw-r--r-- 1 ged ged   222 Jun  9  2025 03_ENVFROM/envfrom_reject
-rw-r--r-- 1 ged ged   122 Jan 12  2025 03_ENVFROM/envfrom_tempfail
-rw-r--r-- 1 ged ged    51 Apr 16  2025 ENVRCPT_Rules.yar
-rw-r--r-- 1 ged ged  2593 Oct  4 12:34 04_ENVRCPT/envrcpt_spamtrap
-rw-r--r-- 1 ged ged  2421 Oct 25 15:08 04_ENVRCPT/envrcpt_whitelist
-rw-r--r-- 1 ged ged  6339 Mar 12  2023 Bad_Header_Rules.yar
-rw-r--r-- 1 ged ged 40830 Feb 11 23:57 Header_Rules.yar
-rw-r--r-- 1 ged ged   421 Mar  4  2025 06_HEADER/header_whitelist
-rw-r--r-- 1 ged ged  1918 Feb 11 12:19 07_EOH/header_reject
-rw-r--r-- 1 ged ged   690 Apr 13  2025 07_EOH/header_spamlist
-rw-r--r-- 1 ged ged   399 Oct 13 12:17 07_EOH/header_tempfail
-rw-r--r-- 1 ged ged   283 Feb  9 13:30 09_EOM/eom_AUTOREPORT
-rw-r--r-- 1 ged ged  2175 Feb 10 16:24 09_EOM/eom_tempfail
-rw-r--r-- 1 ged ged  2636 Oct  8 10:23 09_EOM/eom_reject
-rw-r--r-- 1 ged ged 59732 Feb 11 23:55 Garbage_Rules.yar
-rw-r--r-- 1 ged ged 10283 Oct  4 12:30 REJECT_Rules.yar
8<--------------------------------------------------------------------------

That should give you a feel for the amount of effort involved for a
*very* small service provision which stops near enough 100% of spam
but which needs near enough constant attention.

-- 

73,
Ged.

More information about the Users mailing list