[Rspamd-Users] Spam with valid SPF, DKIM, DMARC

Tobias Westerhever tobias.westerhever at skyline.link38.eu
Sat Feb 14 21:39:00 UTC 2026 

Hello Alexander,

> Hi,
> 
> I am having trouble with spam that comes in with valid SPF, DKIM and DMARC. Most I would classify as phishing. 
> 
> I use the default setup of rspamd that comes with docker-mailserver, which includes some DNSBLs. Additionally I am using the new spamhaus DQS. The spam still ends up with negative scores, because the blocklists are not listing it.

from my experience, using Rspamd's greylisting feature in a more aggressive fashion
often helps to fill the gap between spam emissions and blocklists including related
IPs or domains.

By default (https://docs.rspamd.com/modules/greylisting#module-configuration), Rspamd
greylists for 5 minutes, on a /19-basis in case of IPv4, if a messages' score is 4.0
or higher. If your audience is patient enough, setting this to a 10 or even 15 minute
time window, on a /32 basis, starting at a lower score (personal sweet spot seems 2.5)
might help. A lot can happen in 10 minutes from a DNSBL reputation perspective. :-)

Speaking of DNSBL usage, it might also help to enable checking resolved FQDN IPs against
Spamhaus ZEN (see https://docs.rspamd.com/modules/rbl#ip-lists). It is configured by
default, but disabled, because spammers might gain intelligence from such DNS resolutions.

>     # Not enabled by default due to privacy concerns! (see also groups.d/surbl_group.conf)
>     SPAMHAUS_ZEN_URIBL {
>       enabled = false;
>       rbl = "zen.spamhaus.org";
>       checks = ["emails"];
>       resolve_ip = true;
>       returncodes = {
>         URIBL_SBL = "127.0.0.2";
>         URIBL_SBL_CSS = "127.0.0.3";
>         URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
>         URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
>         URIBL_DROP = "127.0.0.9";
>       }
>     }

The DNSBL provider landscape seems a bit torn over this: SURBL recommends not
conducting DNS lookups on FQDNs inside a message, Spamhaus does. Besides above spammer
intel aspect, performance considerations apply as well, of course. In the setups I
administer, however, these additional DNS lookups weren't a performance show-stopper
so far.

All the best,
Tobias

More information about the Users mailing list