Reject on DKIM PERMFAIL and SPF PERMFAIL as well

2026-05-13 17:34:38 +00:00 · 2024-01-14 09:19:04 +00:00
parent f2be32ac6f
commit 10c671ebda
1 changed files with 24 additions and 5 deletions
--- a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@@ -2,10 +2,29 @@ rules {
    REJECT_DKIM_SPF {
        action = "reject";
        # Reject if
-        #   bad DKIM signature (R_DKIM_REJECT)
-        #   no DKIM signature (R_DKIM_NA)
-        #   SPF failure (R_SPF_FAIL)
-        #   DMARC policy failure (DMARC_POLICY_REJECT)
-        expression = "R_DKIM_REJECT | R_DKIM_NA | R_SPF_FAIL | DMARC_POLICY_REJECT";
+        #   - R_DKIM_RJECT: DKIM reject inserted by `dkim` module.
+        #   - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+        #   - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
+        #
+        #   - SPF failure (R_SPF_FAIL)
+        #   - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
+        #
+        #   - DMARC policy failure (DMARC_POLICY_REJECT)
+        #
+        # Do not reject if:
+        #   - R_DKIM_TEMPFAIL, it is a DNS resolution failure
+        #     and we do not want to lose messages because of faulty network.
+        #
+        #   - R_SPF_SOFTFAIL
+        #   - R_SPF_NEUTRAL
+        #   - R_SPF_DNSFAIL
+        #   - R_SPF_NA
+        #
+        #   - DMARC_DNSFAIL
+        #   - DMARC_NA
+        #   - DMARC_POLICY_SOFTFAIL
+        #   - DMARC_POLICY_QUARANTINE
+        #   - DMARC_BAD_POLICY
+        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA | R_SPF_FAIL | R_SPF_PERMFAIL | DMARC_POLICY_REJECT";
    }
 }