One of the reasons junk mail filters often castigate emails to junk is when they are trying to impersonate a domain, resulting in a spf=fail, (e.g. Authentication-Results: ; spf=fail) in the authentication results in the header. Similar is true for dkim, if the domain has it setup.
While overall I’ve noticed SpamSieve is pretty good, I have found the items it usually misses are those trying to impersonate a domain that has dmarc set to quarantine over reject. As a result it’ll instantly go to junk but the recovery script fishes it out and sometimes will fail to detect the spam, resulting in one that needs to be trained as spam.
It’d be good to automatically be able to set a rule to force these back to junk as they are a key part in securing email.
I would, of course, like SpamSieve to be catching these spams automatically. If that’s not happening, please flag the messages in SpamSieve’s Log window and send in a diagnostic report.
That said, I can look into adding support for more headers to the blocklist. Are there others besides Authentication-Results that you’re interested in using?
I’ve sent you the diagnostic report and flagged the most recent. These don’t come up a lot but I just noticed it wasn’t seeming to get considered.
The ideal state would almost be considering as part of the spam assessment. Authentication-Results is the big one that is always present, to my knowledge, as these are the results that will often auto confine something to spam as they are big red flags but each different provider usually has their own spam score or assessment too. Not sure I’d blacklist off those as iCloud for instance flags a lot of items incorrectly but it’d probably make for interesting additional weighting data.
Thanks. I think I can make some adjustments in the next version, which will help with these.
SpamSieve does factor many of these into its assessment, but, yeah, I think in most cases it doesn’t make sense to allowlist or blocklist based on them.
If you look at the Log then Click an item then go to the Raw Source tab you can see the email’s headers at the start, which you won’t normally see looking at an email. Within this is often a number of additional bits of information.
A number of years ago to reduce email spam and phishing they introduced some new elements:
SPF - Flags which servers can send an email on its behalf
DKIM - Allows senders to sign their emails on send creating additional validation
DMARC - Tells the receiving server the default behaviour. It is often none (do nothing) or quarantine (send straight to junk) but some companies will have it as reject which means it’ll never even be delivered.
BIMI - This is newer and allows companies to display their trademarked logo in your email client, e.g. the attached image is an airline frequent flyer subject and sender in Mail. It’s a subtle but important change on the left to show the logo.
A lot of cloud companies already pass your email through a spam system too and will have scored it to decide if it should go to spam but there are numerous different things that get added in.
One slight challenge with just always blocking some of these can be mail proxies (intermediates). Commonly found in enterprises they may result in everything failing some of these checks but are usually managed in other ways.