fix: fixed DMARC check for low quality reputation senders

forwardemail · Dec 8, 2024 · 78c1c36 · 78c1c36
1 parent a10fd32
commit 78c1c36
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 5 deletions.
diff --git a/helpers/is-arbitrary.js b/helpers/is-arbitrary.js
@@ -230,14 +230,18 @@ function isArbitrary(session, headers, bodyStr) {
       hasSameRcptToAsFrom &&
       session.spfFromHeader.status.result !== 'pass' &&
       !(
-        session.spfFromHeader.status.result !== 'fail' &&
+        !['softfail', 'fail'].includes(session.spfFromHeader.status.result) &&
         subject &&
+        (!headers.hasHeader('x-mailer') ||
+          headers.getFirst('x-mailer').toLowerCase().includes('drupal')) &&
         REGEX_SYSADMIN_SUBJECT.test(subject)
       )
     ) {
       // TODO: until we're certain this is properly working we're going to monitor it with code bug to admins
       const err = new TypeError(
-        `Spoofing detected and was soft blocked from ${session.originalFromAddressRootDomain}`
+        `Spoofing detected and was soft blocked from ${
+          session.resolvedRootClientHostname || session.remoteAddress
+        }`
       );
       err.isCodeBug = true;
       err.session = session;

diff --git a/helpers/is-authenticated-message.js b/helpers/is-authenticated-message.js
@@ -128,11 +128,16 @@ async function isAuthenticatedMessage(raw, session, resolver) {
   // and DMARC fail with p=reject policy
   //
   if (
-    // session.spf.status.result !== 'pass' &&
     session.dmarc &&
-    session.dmarc.policy === 'reject' &&
     session.dmarc.status &&
-    session.dmarc.status.result === 'fail'
+    session.dmarc.status.result === 'fail' &&
+    (!session.isAllowlisted ||
+      session.dmarc.policy === 'reject' ||
+      (session.hostNameAppearsAs &&
+        session.hostNameAppearsAs !== session.originalFromAddressRootDomain &&
+        session.hostNameAppearsAs !== session.originalFromAddressDomain &&
+        session.hostNameAppearsAs !== session.resolvedClientHostname &&
+        session.hostNameAppearsAs !== session.resolvedRootClientHostname))
   ) {
     throw new SMTPError(
       "The email sent has failed DMARC validation and is rejected due to the domain's DMARC policy",