Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Warn about DKIM not existing or failing - on received emails

Discussion in 'E-mail Discussion' started by nunoperalta, Dec 12, 2017.

Tags:
  1. nunoperalta

    nunoperalta Member

    Joined:
    Jan 27, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    Hello,

    I've just tested sending a fake email to my inbox, and while I see that SpamAssassin detected that SPF didn't match, it didn't give enough score (min 5.0 in my setup) to show ***SPAM*** on the subject.

    Basically, unless I look at the headers of every email I receive, there is no way to know straight away that an email was spoofed. My Outlook will not warn about that either.


    Is there any easy way to add a prefix to the Subject, just like SpamAssassin does, when DKIM doesn't exist, or DKIM failed verification, or sender doesn't match SPF?

    Thank you.
     
    #1 nunoperalta, Dec 12, 2017
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You could manually add SPF rules in the SpamAssassin configuration file to enable more aggressive scoring on SPF failures. The global SpamAssassin configuration file on cPanel servers is located at:

    /etc/mail/spamassassin/local.cf

    Here's an example of how SPF rules are implemented when "Enable the Apache SpamAssassin™ ruleset that cPanel uses on cpanel.net" is enabled under the "Apache SpamAssassin" tab in "WHM >> Exim Configuration Manager >> Basic Editor":

    Code:
    #
# SPF failures and information
#
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_NONE 0
score SPF_HELO_NONE 0
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0
score SPF_SOFTFAIL 1.5
endif

    Thus, you'd want to increase the score value on "score SPF_SOFTFAIL 1.5" to something higher than 1.5. Alternatively, the following post offers a workaround if you'd like to enable SPF checking directly in Exim so that it rejects messages that fail SPF verification:

    SPF Verification

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Dec 12, 2017
  3. nunoperalta

    nunoperalta Member

    Joined:
    Jan 27, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    Thank you very much Michael - that's definitely helpful!

    However, I would be very interested in doing something similar for DKIM empty or failing.

    Does SpamAssassin support it?
    Or do I need to change exim.conf, maybe checking for the value of $dkim_verify_status? Are there any already-tested ways of doing this?
    (note that I still want to receive the email - just want to add some prefix on the subject)

    If I change exim.conf, will cPanel overwrite it at some point?

    Very kind regards!
     
    #3 nunoperalta, Dec 13, 2017
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    For DKIM, the following options are available under the "ACL Options" tab in "WHM >> Exim Configuration Manager >> Basic Editor":

    Allow DKIM verification for incoming messages
    Reject DKIM failures

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Dec 13, 2017
  5. nunoperalta

    nunoperalta Member

    Joined:
    Jan 27, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    Thank you.

    What exacly does "Allow DKIM verification for incoming messages" do when the verification fails?

    Note that I don't want to reject them (so the second option will remain disabled), but I want to add a prefix to the subject instead.

    Very kind regards.
     
    #5 nunoperalta, Dec 13, 2017
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    The Allow DKIM verification for incoming messages option enables scanning for DKIM records with Exim, so the information will appear in the message header but Exim won't actually reject email. Additionally, there are no features to automatically rewrite the subject for DKIM failures, so you may also want to review the following SpamAssassin document about how you could scan for DKIM and mark messages as SPAM:

    Mail::SpamAssassin::Plugin::DKIM - perform DKIM verification tests

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelMichael, Dec 13, 2017
  7. nunoperalta

    nunoperalta Member

    Joined:
    Jan 27, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    I see. Thank you.

    My "Allow DKIM verification for incoming messages" option is disabled in WHM.

    However, SpamAssassin must still be verifying DKIM anyway, as I get the following rules when messages do succeed in DKIM:

    DKIM_VALID_AU
    DKIM_SIGNED
    DKIM_VALID

    (which is good)


    But the Fake test message I sent only has the following:

    SPF_SOFTFAIL
    SPF_HELO_PASS

    It doesn't have anything about DKIM not existing or failing.


    Just like you suggested I could increase the score of SPF_SOFTFAIL to auto-mark as SPAM, shouldn't SpamAssassin also be adding points (or at least have a rule for that) when there is no DKIM at all?

    Thank you.
     
    #7 nunoperalta, Dec 13, 2017
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,802
    Likes Received:
    1,895
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    SpamAssassin uses it's own method of checking for DKIM, as I understand. The KAM ruleset is enabled by default and uses some DKIM rules:

    Code:
    /etc/mail/spamassassin/KAM.cf
    You'd need to create additional custom rules if you wanted to add additional scoring or checking. Or, since that's unsupported, you may also want to consider creating a feature request to have DKIM verification handled through SpamAssassin natively:

    Submit A Feature Request

    Are you sending the message from the cPanel server or a remote mail server? Note you won't see any actual DKIM information in the message header unless Allow DKIM verification for incoming messages is enabled.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #8 cPanelMichael, Dec 13, 2017
  9. nunoperalta

    nunoperalta Member

    Joined:
    Jan 27, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    I use this website to send the email. I wanted to make sure I do it through and external server/service.
    Emkei's Fake Mailer

    It sends no DKIM (as I was expecting anyway).


    Thank you. I'll have a look at your tips.
    I'll create a feature request as well.
     
    #9 nunoperalta, Dec 13, 2017
  10. nunoperalta

    nunoperalta Member

    Joined:
    Jan 27, 2012
    Messages:
    12
    Likes Received:
    1
    Trophy Points:
    53
    cPanel Access Level:
    Root Administrator
    Perfect! I created my own .cf file that will raise the score of SPF_FAIL (and SoftFail), and check whether DKIM is invalid or not exist. I tested another email from the website above and got the exact result I wanted!! :)

    Also sent a proper email from a Gmail account and that wasn't marked as SPAM.

    Thank you very much for your help, Michael.
     
    #10 nunoperalta, Dec 13, 2017
    cPanelMichael likes this.
(You must log in or sign up to post here.)
Loading...
Similar Threads - Warn DKIM existing
  1. loulou11

    WHM Displays Dangerous Warning

    loulou11, Oct 11, 2018 at 7:08 PM, in forum: Security
    Replies:
    2
    Views:
    65
    cPanelLauren
    Oct 12, 2018 at 10:11 AM
  2. veronicabend

    SOLVED A warning occurred while processing this directive

    veronicabend, Sep 26, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    111
    Infopro
    Sep 26, 2018
  3. Ianw5555

    Security Advisor warning about symlink ownership attacks

    Ianw5555, Sep 19, 2018, in forum: Security
    Replies:
    2
    Views:
    73
    cPanelLauren
    Sep 19, 2018
  4. kodyxgen

    Strange error warn [show_template]

    kodyxgen, Sep 17, 2018, in forum: General Discussion
    Replies:
    2
    Views:
    125
    kodyxgen
    Sep 17, 2018
  5. Peter Smith

    ClamAV duplicate database Warning

    Peter Smith, Sep 10, 2018, in forum: Security
    Replies:
    4
    Views:
    156
    cPanelMichael
    Sep 12, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice