Seeking Guidance on Quarantining Emails from Senders Without DMARC Records

S

scott00

Member
Aug 9, 2022
5
0
6
Hello Proxmox Community,

We're currently working on enhancing our email security and would like to implement a rule or mechanism within our Proxmox Mail Gateway setup to quarantine emails from senders who do not have published DMARC records.

Unfortunately, we're unable to open a support ticket at this time, so we're reaching out here for community guidance.

Has anyone successfully implemented such a rule? If so:

  • What approach or configuration did you use?
  • Are there any recommended best practices or caveats to be aware of?
  • Would this be best handled via custom rules, or is there a built-in feature that supports this?
Any advice, examples, or documentation references would be greatly appreciated!

Thank you in advance for your help.

Best regards,

Scott
 
From my understanding of how PMG works, the most "compatible" and less effort way is to set high custom score for "DMARC_MISSING" ( = DMARC not published at all) or/and "DMARC_NONE" ( = DMARC is present but policy is set NONE) in Spam Detector.

You can also write your own complex SA rule. But why replicating work if someone did it better before you.

But I would not recommend this. Just because people have very rarely correctly implemented DMARC (with DKIM signing ideally). Had seen many times people have configured it incorrectly and as a result of incorrect configuration they removed DMARC policy or set it to NONE (mainly government institutions... :( )
 
  • Like
Reactions: scott00
Kisuke said:
From my understanding of how PMG works, the most "compatible" and less effort way is to set high custom score for "DMARC_MISSING" ( = DMARC not published at all) or/and "DMARC_NONE" ( = DMARC is present but policy is set NONE) in Spam Detector.

You can also write your own complex SA rule. But why replicating work if someone did it better before you.

But I would not recommend this. Just because people have very rarely correctly implemented DMARC (with DKIM signing ideally). Had seen many times people have configured it incorrectly and as a result of incorrect configuration they removed DMARC policy or set it to NONE (mainly government institutions... :( )
Click to expand...
Thanks, Kisuke — I really appreciate the quick and clear advice!

To adjusting the custom scores for DMARC_MISSING and DMARC_NONE in the Spam Detector, as you suggested. It seems like a clean and manageable approach without needing to dive into custom SpamAssassin rules right away.

That said, I did notice several legitimate emails are being flagged with DMARC_MISSING, so there’s still some risk of missing valid messages. :(

Thanks again for the guidance!

Best regards,
Scott
 
You must log in or register to reply here.
Top Bottom