From 10c671ebda104c4cc7b0a19e56314676b18b6d38 Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Sun, 14 Jan 2024 09:19:04 +0000
Subject: [PATCH] Reject on DKIM PERMFAIL and SPF PERMFAIL as well

---
 .../src/cmdeploy/rspamd/force_actions.conf    | 29 +++++++++++++++----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
index a5be7511..9ca9549e 100644
--- a/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
+++ b/cmdeploy/src/cmdeploy/rspamd/force_actions.conf
@@ -2,10 +2,29 @@ rules {
     REJECT_DKIM_SPF {
         action = "reject";
         # Reject if
-        #   bad DKIM signature (R_DKIM_REJECT)
-        #   no DKIM signature (R_DKIM_NA)
-        #   SPF failure (R_SPF_FAIL)
-        #   DMARC policy failure (DMARC_POLICY_REJECT)
-        expression = "R_DKIM_REJECT | R_DKIM_NA | R_SPF_FAIL | DMARC_POLICY_REJECT";
+        #   - R_DKIM_RJECT: DKIM reject inserted by `dkim` module.
+        #   - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+        #   - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
+        #
+        #   - SPF failure (R_SPF_FAIL)
+        #   - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
+        #
+        #   - DMARC policy failure (DMARC_POLICY_REJECT)
+        #
+        # Do not reject if:
+        #   - R_DKIM_TEMPFAIL, it is a DNS resolution failure
+        #     and we do not want to lose messages because of faulty network.
+        #
+        #   - R_SPF_SOFTFAIL
+        #   - R_SPF_NEUTRAL
+        #   - R_SPF_DNSFAIL
+        #   - R_SPF_NA
+        #
+        #   - DMARC_DNSFAIL
+        #   - DMARC_NA
+        #   - DMARC_POLICY_SOFTFAIL
+        #   - DMARC_POLICY_QUARANTINE
+        #   - DMARC_BAD_POLICY
+        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA | R_SPF_FAIL | R_SPF_PERMFAIL | DMARC_POLICY_REJECT";
     }
 }