MailScanner and Zimbra

David Jones djones at
Mon Nov 4 01:30:40 UTC 2019

Those Zimbra rules are better than nothing but they aren’t correct on lines 88, 93, and 98.  The DMARC specification says that DKIM should pass and align with the From: domain OR SPF should pass and align with the envelope-from domain.  Those rules at those lines say it’s an AND but it should be OR like


It’s not that critical since they are only subtracting a few points for the DMARC_PASS_* rules.  Then again, passing DMARC doesn’t have a direct relationship to spam and ham.  It only asserts the email was authentic (DKIM) or authorized (SPF).  You can take any of those DKIM_VALID_AU and SPF_PASS and create whitelist_auth entries which actually have value towards allowing/blocking.

The best way to get DMARC support into SA is to install opendmarc and integrate it into your MTA (plenty of HOWTOs out there) and then add rules similar to these (adjust regex for your opendmarc.conf AuthservID setting):

AuthservID =
RejectFailures true
Socket inet:8893 at localhost
SoftwareHeader true
SPFIgnoreResults true
SPFSelfValidate true

header                  DMARC_PASS    Authentication-Results =~ /smtp\.example\.com; dmarc=pass/
describe               DMARC_PASS    DMARC check passed
score                     DMARC_PASS    -0.01

header                  DMARC_FAIL      Authentication-Results =~ /smtp\.example\.com; dmarc=fail/
describe               DMARC_FAIL      DMARC check failed
score                     DMARC_FAIL      0.01

header                  DMARC_NONE  Authentication-Results =~ /smtp\.example\.com; dmarc=none/
describe               DMARC_NONE  DMARC check neutral
score                     DMARC_NONE  0.01

header                  __DMARC_FAIL_REJECT Authentication-Results =~ /smtp\.example\.com; dmarc=fail \(p=reject/
meta                      DMARC_FAIL_REJECT      __DMARC_FAIL_REJECT
describe               DMARC_FAIL_REJECT      DMARC check failed and the sending domains says to reject this message
score                     DMARC_FAIL_REJECT      9.0

Then create meta rules based off of the rules above or use MailScanner’s “SpamAssassin Rule Actions” form more precision.

DMARC_PASS != ham and DMARC_FAIL != spam.  These should be used to make safe whitelist_auth entries.

From: Thomas Stephen Lee <lee.iitb at>
Date: Sunday, November 3, 2019 at 9:10 AM
To: MailScanner Discussion <mailscanner at>
Cc: Shawn Iverson <iversons at>, David Jones <djones at>
Subject: Re: MailScanner and Zimbra

Hi All,

The DMARC rules are in

Sorry, Zimbra does not have a MailScanner rule.
We added it extra.

vim /opt/zimbra/data/spamassassin/localrules/<>

header    LOCAL_MAILSCANNER_SPAM   X-Organization-MailScanner-SpamScore =~ /sssss/
describe  LOCAL_MAILSCANNER_SPAM   MailScanner marked SPAM
score     LOCAL_MAILSCANNER_SPAM   4.123


Thomas Stephen Lee

On Sat, Nov 2, 2019 at 11:01 PM Shawn Iverson via MailScanner <mailscanner at<mailto:mailscanner at>> wrote:

Would love to see those rules as well. I like that Zimbra has a MailScanner rule!

On Sat, Nov 2, 2019 at 1:25 PM David Jones via MailScanner <mailscanner at<mailto:mailscanner at>> wrote:
DMARC and BAYES blocked that email.

It would be interesting to get/see the details of the “DMARC_” rules on the Zimbra server.  Zimbra must have added DMARC support to Spamassassin.  I wonder if they used opendmarc with custom SA rules to read the opendmarc headers.

Same for LOCAL_MAILSCANNER_SPAM.  I would like to see that rule.  In a Zimbra environment, you may want to use MailScanner to score only and not block to utilize the built-in Zimbra spam/ham handling.

From: MailScanner < at< at>> on behalf of Thomas Stephen Lee <lee.iitb at<mailto:lee.iitb at>>
Reply-To: MailScanner Discussion <mailscanner at<mailto:mailscanner at>>
Date: Saturday, November 2, 2019 at 4:12 AM
To: MailScanner Discussion <mailscanner at<mailto:mailscanner at>>
Subject: Re: MailScanner and Zimbra

Hi All,

Thank you very much for all the suggestions.
We will try out one by one.

Given below is a partial output of a message Zimbra caught as spam.


Content analysis details:   (16.2 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
 0.2 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                            [score: 1.0000]
 1.0 HK_RANDOM_REPLYTO      Reply-To username looks random
 1.0 HK_RANDOM_FROM         From username looks random
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
                            domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
 6.0 DMARC_FAIL_QUAR        DMARC validation failed and policy is quarantine
 0.0 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom
                             freemail headers are different
 0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS



Thomas Stephen Lee

On Fri, Nov 1, 2019 at 10:47 PM Mark Sapiro <mark at<mailto:mark at>> wrote:
On 11/1/19 6:05 AM, Shawn Iverson via MailScanner wrote:
> +1
> We need to put this on the MailScanner website as "Things you can do to
> enhance your MailScanner" :)


The old web site used to have some tips. See
Some of this is out of date, but we should have similar info on the
current web site.

Mark Sapiro <mark at<mailto:mark at>>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

MailScanner mailing list
mailscanner at<mailto:mailscanner at>

MailScanner mailing list
mailscanner at<mailto:mailscanner at>

Shawn Iverson, CETL
Rush County Schools
iversons at<mailto:iversons at>

Error! Filename not specified.Error! Filename not specified.Error! Filename not specified.

MailScanner mailing list
mailscanner at<mailto:mailscanner at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the MailScanner mailing list