DKIM and unsigned mail - ORF Forums

DKIM and unsigned mail RSS Back to forum

1

Hello.

I enabled the enforced signature with the following settings:
- Email address *@*
- Selector *
- Domain *
- Type Simple text/masked

But ORF still passes unsigned emails that passed SPF test, according to DMARC policy. How to fix it? I need ORF to reject all emails that do not contain DKIM at all.

Reply
by Asklepius 4 weeks ago
2

@Asklepius: Hello Asklepius,

I am not sure that would be a good idea.

The DMARC RFC standard specifies that the sender domain verified by the SPF Test or the signatory domain in the DKIM signature, verified by the DKIM Test, must match the author domain in the 'From' header field (i.e. the one displayed by email clients in the 'From:' field) for the email to pass DMARC verification.

The whole point of the DMARC Test is to verify the authenticity of the author's email address, ensuring it is not spoofed (i.e., forged/impersonated). Additionally, it aims to minimize false positives during sender authentication by including a backup plan:

A) If email forwarding causes SPF failure, the email still has a chance to pass with a (verified) DKIM signatory domain match.
B) If the mail transfer agents mess up the DKIM signature during processing, either by removing it or breaking it, the email can still pass with a (verified) SPF sender domain match.

By design, ORF runs the DMARC Test first (which includes SPF and DKIM checks), and if the email passes the DMARC verification test, then the email authentication is considered successful - but subsequent tests can still blacklist the email for other reasons. The SPF and DKIM blacklist actions are only triggered if the author domain does not have a DMARC record (or it is excluded from the DMARC Test), and the email fails either the SPF or DKIM tests.

That being said, if you want to configure ORF to reject all emails that do not contain a DKIM signature, follow these steps:

1. Open the ORF Administration Tool,
2. Navigate to the 'Filtering > Tests' page
3. Click the 'Configure' button to open the 'Whitelist Test Exceptions' window
4. Mark the DKIM Test checkbox enabled
5. Click 'Ok' and save the configuration (Ctrl+S) to apply the new settings

Note, however, that the above rule will be enforced for whitelisted emails as well, except for those that have been whitelisted by the IP Whitelist or the Authentication Whitelist tests (see 'test order and priority': https://vamsoft.com/support/docs/orf-help/6.8.3/tests).

I hope the above proves helpful to you, but let me know if you need further assistance.

Reply
by Daniel Novak (Vamsoft) 4 weeks ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Thank you.

Reply
by Asklepius 4 weeks ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2