However, apparently dkim module does not check that DKIM signature domain is aligned with RFC5322.From domain. This is [the only good] part of DMARC standard and is therefore checked by DMARC module.
However, DMARC module checks very little even if p=reject policy is published for the From header domain. It will pass if either SPF or DKIM passes, while we want to enforce valid DKIM signatures. It will also pass if there is no strict reject policy or if there is simply no DMARC record.
We need a way to check that there is a DKIM signature corresponding to the From: header of the IMF aka RFC5322.From regardless of DMARC. Then we don't even need to resolve SPF or DMARC records. If there is no way to do this with rspamd, seems the solution would be to implement our own checker, see #179
Currently we reject emails that fails DKIM check: https://github.com/deltachat/chatmail/blob/3665d957a7243695a3db4d45918118e7eed74add/cmdeploy/src/cmdeploy/rspamd/force_actions.conf#L9
We also reject emails failed by DMARC policy: https://github.com/deltachat/chatmail/blob/3665d957a7243695a3db4d45918118e7eed74add/cmdeploy/src/cmdeploy/rspamd/force_actions.conf#L41
However, apparently
dkim
module does not check that DKIM signature domain is aligned with RFC5322.From domain. This is [the only good] part of DMARC standard and is therefore checked by DMARC module.However, DMARC module checks very little even if
p=reject
policy is published for theFrom
header domain. It will pass if either SPF or DKIM passes, while we want to enforce valid DKIM signatures. It will also pass if there is no strict reject policy or if there is simply no DMARC record.We need a way to check that there is a DKIM signature corresponding to the
From:
header of the IMF aka RFC5322.From regardless of DMARC. Then we don't even need to resolve SPF or DMARC records. If there is no way to do this withrspamd
, seems the solution would be to implement our own checker, see #179