diff --git a/helpers/is-arbitrary.js b/helpers/is-arbitrary.js index 455d1afdae..a017aa1e53 100644 --- a/helpers/is-arbitrary.js +++ b/helpers/is-arbitrary.js @@ -230,14 +230,18 @@ function isArbitrary(session, headers, bodyStr) { hasSameRcptToAsFrom && session.spfFromHeader.status.result !== 'pass' && !( - session.spfFromHeader.status.result !== 'fail' && + !['softfail', 'fail'].includes(session.spfFromHeader.status.result) && subject && + (!headers.hasHeader('x-mailer') || + headers.getFirst('x-mailer').toLowerCase().includes('drupal')) && REGEX_SYSADMIN_SUBJECT.test(subject) ) ) { // TODO: until we're certain this is properly working we're going to monitor it with code bug to admins const err = new TypeError( - `Spoofing detected and was soft blocked from ${session.originalFromAddressRootDomain}` + `Spoofing detected and was soft blocked from ${ + session.resolvedRootClientHostname || session.remoteAddress + }` ); err.isCodeBug = true; err.session = session; diff --git a/helpers/is-authenticated-message.js b/helpers/is-authenticated-message.js index f91dd77ffb..c056fa7d7c 100644 --- a/helpers/is-authenticated-message.js +++ b/helpers/is-authenticated-message.js @@ -128,11 +128,16 @@ async function isAuthenticatedMessage(raw, session, resolver) { // and DMARC fail with p=reject policy // if ( - // session.spf.status.result !== 'pass' && session.dmarc && - session.dmarc.policy === 'reject' && session.dmarc.status && - session.dmarc.status.result === 'fail' + session.dmarc.status.result === 'fail' && + (!session.isAllowlisted || + session.dmarc.policy === 'reject' || + (session.hostNameAppearsAs && + session.hostNameAppearsAs !== session.originalFromAddressRootDomain && + session.hostNameAppearsAs !== session.originalFromAddressDomain && + session.hostNameAppearsAs !== session.resolvedClientHostname && + session.hostNameAppearsAs !== session.resolvedRootClientHostname)) ) { throw new SMTPError( "The email sent has failed DMARC validation and is rejected due to the domain's DMARC policy",