Posted on by admins@dnswl.org

Whitelisting DKIM-signed domains

(Update 2017-10-09 16:00 – added rspamd)

At the M3AAWG meeting (see previous post) there was considerable interest in the proposal on domain-based whitelisting information. However there is no operational experience which would allow anyone to see how this would perform.

Now you can test 🙂

We set up an experimental domain-based whitelist. We reserve the right to change, stop, or completely rework the current system.

The data is available under the dwl.dnswl.org zone which can be queried like any domain- or hostname-blacklist:

# dig -t ANY dnswl.test.dwl.dnswl.org +short
127.0.10.0
"Domain whitelisted at https://dnswl.org/s/?s=dnswl.test"

The return values are the same as for the IP-based list (see here for details).

We currently infer the domain-based trust from the IP-based trust information using a weighted average. This will change once we move out of the experimental phase into a more production-like mode.

Testing with anti-spam solutions

Please note that the following examples are not complete solutions, but merely intended for testing. You should consider your local policies for applying whitelisting information. Also, you may want to ensure that for a particular message you are only counting one whitelist result if you get a hit from both the IP- and the domain-based list.

rspamd

dnswl_dwl {
    symbol = "DWL_DNSWL";
    rbl = "dwl.dnswl.org";
    ipv4 = false
    ipv6 = false;
    received = false;
    from = false;
    rdns = false;
    helo = false;
    dkim = true;
    dkim_domainonly = false;
    emails = false;
    unknown = false;
    is_whitelist = true;
    whitelist_exception = "DWL_DNSWL";
    whitelist_exception = "DWL_DNSWL_NONE";
    whitelist_exception = "DWL_DNSWL_LOW";
    whitelist_exception = "DWL_DNSWL_BLOCKED";
    returncodes {
        DWL_DNSWL_NONE = "127.0.%d+.0";
        DWL_DNSWL_LOW = "127.0.%d+.1";
        DWL_DNSWL_MED = "127.0.%d+.2";
        DWL_DNSWL_HI = "127.0.%d+.3";
        DWL_DNSWL_BLOCKED = "127.0.0.255";
    }
}

With many thanks to the friendly support from cgt, _smf_ and notkoos in #rspamd on Freenode!

SpamAssassin

ifplugin Mail::SpamAssassin::Plugin::AskDNS

askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.3/
tflags DNSWL_DWL_HI nice net
describe DNSWL_DWL_HI dwl.dnswl.org high trust
score DNSWL_DWL_HI -5

askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.2/
tflags DNSWL_DWL_MED nice net
describe DNSWL_DWL_MED dwl.dnswl.org medium trust
score DNSWL_DWL_MED -2

askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.1/
tflags DNSWL_DWL_LOW nice net
describe DNSWL_DWL_LOW dwl.dnswl.org low trust
score DNSWL_DWL_LOW -1

askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127\.\d+\.\d+\.0/
tflags DNSWL_DWL_NONE nice net
describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust information available
score DNSWL_DWL_NONE -0.1

endif # Mail::SpamAssassin::Plugin::AskDNS