Facebook
Twitter
QWeb Ric
Regular Pleskian
- Server operating system version
- AlmaLinux 9.8 (Olive Jaguar)
- Plesk version and microupdate number
- Plesk Obsidian 18.0.77 Update #4
Not sure if this is a bug or a feature misunderstanding, and I haven't tested enough yet, so I'm starting off here but may open a bug report later.
With "Enable DMARC to check incoming mail" enabled in the server-wide mail settings, it looks like spamd is skipped if the DMARC check returns a fail, which makes sense from a resource usage perspective as long as failed DMARC causes the mail to then be rejected/deleted, but as far as I can tell this isn't actually happening. So effectively an SPF softfail which causes DMARC fails for some domains, then proceeds to drop obvious spam into the mailbox because SpamAssassin doesn't bother firing.
It's entirely possible that this only happens with certain DMARC rules. I haven't had chance to do much testing there, but I have a hunch that Postfix is seeing something like an ~all flag in the SPF causing a DMARC fail, deciding that this isn't enough to reject the email, and since spamd didn't kick in to add relevant spam headers it's then otherwise just looking like a reasonably legit email.
For now I've just disabled the DMARC validation and, touchwood, incoming spam appears to have reduced.
With "Enable DMARC to check incoming mail" enabled in the server-wide mail settings, it looks like spamd is skipped if the DMARC check returns a fail, which makes sense from a resource usage perspective as long as failed DMARC causes the mail to then be rejected/deleted, but as far as I can tell this isn't actually happening. So effectively an SPF softfail which causes DMARC fails for some domains, then proceeds to drop obvious spam into the mailbox because SpamAssassin doesn't bother firing.
It's entirely possible that this only happens with certain DMARC rules. I haven't had chance to do much testing there, but I have a hunch that Postfix is seeing something like an ~all flag in the SPF causing a DMARC fail, deciding that this isn't enough to reject the email, and since spamd didn't kick in to add relevant spam headers it's then otherwise just looking like a reasonably legit email.
For now I've just disabled the DMARC validation and, touchwood, incoming spam appears to have reduced.
