DMARC mitigation

This rule only matches in order to jump to the moderation chain to reject or discard the message. The rule looks at the list’s dmarc_mitigate_action and if it is other than no_mitigation, it checks the domain of the From: address for a DMARC policy. Depending on various settings, reject or discard the message, or just flag it for the dmarc handler to apply DMARC mitigations to the message.

>>> mlist = create_list('ant@example.com')
>>> rule = config.rules['dmarc-mitigation']
>>> print(rule.name)
dmarc-mitigation

First we set up a mock to return predictable responses to DNS lookups. This returns p=reject for the example.biz domain and not for any others.

>>> from mailman.rules.tests.test_dmarc import get_dns_resolver
>>> ignore = cleanups.enter_context(get_dns_resolver())

Use test data for the organizational domain suffixes.

>>> from mailman.rules.tests.test_dmarc import use_test_organizational_data
>>> cleanups.enter_context(use_test_organizational_data())

A message From: a domain without a DMARC policy does not set any flags.

>>> from mailman.interfaces.mailinglist import DMARCMitigateAction
>>> mlist.dmarc_mitigate_action = DMARCMitigateAction.munge_from
>>> msg = message_from_string("""\
... From: aperson@example.org
... To: ant@example.com
... Subject: A posted message
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
False
>>> msgdata
{}

Even if the From: domain publishes p=reject, no flags are set if the list’s action is no_mitigation.

>>> mlist.dmarc_mitigate_action = DMARCMitigateAction.no_mitigation
>>> msg = message_from_string("""\
... From: aperson@example.biz
... To: ant@example.com
... Subject: A posted message
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
False
>>> msgdata
{}

With a mitigation strategy chosen, the message is flagged.

>>> mlist.dmarc_mitigate_action = DMARCMitigateAction.munge_from
>>> msg = message_from_string("""\
... From: aperson@example.biz
... To: ant@example.com
... Subject: A posted message
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
False
>>> msgdata
{'dmarc': True}

Subdomains which don’t have a policy will check the organizational domain.

>>> msg = message_from_string("""\
... From: aperson@sub.domain.example.biz
... To: ant@example.com
... Subject: A posted message
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
False
>>> msgdata
{'dmarc': True}

The list’s action can also be set to immediately discard or reject the message.

>>> mlist.dmarc_mitigate_action = DMARCMitigateAction.discard
>>> msg = message_from_string("""\
... From: aperson@example.biz
... To: ant@example.com
... Subject: A posted message
... Message-ID: <xxx_message_id@example.biz>
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
True
>>> dump_msgdata(msgdata)
dmarc             : True
dmarc_action      : discard
moderation_reasons: ['DMARC moderation']
moderation_sender : aperson@example.biz

We can reject the message with a default reason.

>>> mlist.dmarc_mitigate_action = DMARCMitigateAction.reject
>>> msg = message_from_string("""\
... From: aperson@example.biz
... To: ant@example.com
... Subject: A posted message
... Message-ID: <xxx_message_id@example.biz>
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
True
>>> dump_msgdata(msgdata)
dmarc             : True
dmarc_action      : reject
moderation_reasons: ['You are not allowed to post to this mailing list...
moderation_sender : aperson@example.biz

And, we can reject with a custom message.

>>> mlist.dmarc_moderation_notice = 'A silly reason'
>>> msg = message_from_string("""\
... From: aperson@example.biz
... To: ant@example.com
... Subject: A posted message
... Message-ID: <xxx_message_id@example.biz>
...
... """)
>>> msgdata = {}
>>> rule.check(mlist, msg, msgdata)
True
>>> dump_msgdata(msgdata)
dmarc             : True
dmarc_action      : reject
moderation_reasons: ['A silly reason']
moderation_sender : aperson@example.biz