Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Authentication-Results should also contain DMARC and DKIM result

Authentication-Results should also contain DMARC and DKIM result

Scheduled Pinned Locked Moved Feature Requests
email
4 Posts 3 Posters 875 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    M Offline
    moco
    wrote on last edited by girish
    #1

    New subscriber here.

    I wanted to request an email header enhancement. For incoming email, currently the "Authentication-Results" header only displays if SPF passed or failed. Other email implementations also place the DKIM and DMARC results there. I'm requesting the Cloudron email also place the DKIM and DMARC results in the Authentication-Results header.

    Authentication-Results: mail2.outsi.de (dis=neutral; info=dmarc domain policy);
        dmarc=pass (dis=neutral p=reject; aspf=r; adkim=r; pSrc=dns) header.from=example.org;
        dkim=pass header.d=example.org header.s=r header.b=O/8zOi6w
    

    I believe this available by adding OpenDMARC to Postfix.

    When fully functional this header is a useful troubleshooting tool for incoming emails.

    ? girishG 2 Replies Last reply
    5
    • M moco

      New subscriber here.

      I wanted to request an email header enhancement. For incoming email, currently the "Authentication-Results" header only displays if SPF passed or failed. Other email implementations also place the DKIM and DMARC results there. I'm requesting the Cloudron email also place the DKIM and DMARC results in the Authentication-Results header.

      Authentication-Results: mail2.outsi.de (dis=neutral; info=dmarc domain policy);
          dmarc=pass (dis=neutral p=reject; aspf=r; adkim=r; pSrc=dns) header.from=example.org;
          dkim=pass header.d=example.org header.s=r header.b=O/8zOi6w
      

      I believe this available by adding OpenDMARC to Postfix.

      When fully functional this header is a useful troubleshooting tool for incoming emails.

      ? Offline
      ? Offline
      A Former User
      wrote on last edited by
      #2

      @moco that's a really good idea! By the way for next time, there's a feature request category on the forums for things like this.

      1 Reply Last reply
      2
      • M moco

        New subscriber here.

        I wanted to request an email header enhancement. For incoming email, currently the "Authentication-Results" header only displays if SPF passed or failed. Other email implementations also place the DKIM and DMARC results there. I'm requesting the Cloudron email also place the DKIM and DMARC results in the Authentication-Results header.

        Authentication-Results: mail2.outsi.de (dis=neutral; info=dmarc domain policy);
            dmarc=pass (dis=neutral p=reject; aspf=r; adkim=r; pSrc=dns) header.from=example.org;
            dkim=pass header.d=example.org header.s=r header.b=O/8zOi6w
        

        I believe this available by adding OpenDMARC to Postfix.

        When fully functional this header is a useful troubleshooting tool for incoming emails.

        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        @moco We don't use postfix but instead use Haraka mail server. Haraka does have a plugin can dkim_verify that will attach this information. I have to investigate a bit more to give a better reply but off my head this is not enabled because SpamAssassin does the DKIM checks and I wanted to avoid double DKIM verification. You will see the DKIM check in the spam status results:

        X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
        	DKIM_SIGNED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS
        	autolearn=no autolearn_force=no version=3.4.4
        

        Cloudron currently does not honor DMARC (for better or worse). It seems there are too many poorly misconfigured mail servers out there and it's too "risky" to enable it to reject mail outright if SPF or DKIM fails. Instead, we just categorize such mails as spam.

        M 1 Reply Last reply
        2
        • girishG girish

          @moco We don't use postfix but instead use Haraka mail server. Haraka does have a plugin can dkim_verify that will attach this information. I have to investigate a bit more to give a better reply but off my head this is not enabled because SpamAssassin does the DKIM checks and I wanted to avoid double DKIM verification. You will see the DKIM check in the spam status results:

          X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID,
          	DKIM_SIGNED,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS
          	autolearn=no autolearn_force=no version=3.4.4
          

          Cloudron currently does not honor DMARC (for better or worse). It seems there are too many poorly misconfigured mail servers out there and it's too "risky" to enable it to reject mail outright if SPF or DKIM fails. Instead, we just categorize such mails as spam.

          M Offline
          M Offline
          moco
          wrote on last edited by
          #4

          @girish Hi there. Thanks for checking into this for me.

          I had a suspicion that the spam engine was verifying, since I did see those fields in the Spam results headers. However I think it's also useful to have Haraka add the headers as well. It would add very little overhead and will add additional detail that the spam header doesn't contain about the DKIM verification (such as which signature failed or passed, since an email can contain multiple).

          In regards to DMARC. I don't believe this would be risky at all if implemented in the following manner:

          • No DMARC record found, take no action.
          • DMARC found, DKIM/SPF aligned, take no action
          • DMARC found, DKIM/SPF alignment fails, but p=none, take no action.
          • DMARC found, DKIM/SPF alignment fails, but p=quarantine, move to spam folder
          • DMARC found, DKIM/SPF alignment fails, p=reject, dev/null the mail. If you don't like the risk of this, push it to spam instead... or make it a cloudron option under Settings.

          Thanks for listening.

          1 Reply Last reply
          2
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes


          • Login

          • Don't have an account? Register

          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • Bookmarks
          • Search