I've given up on DMARC. It's completely useless as too many domains have incorrect policies, even ones who should know better**. After three weeks the false positive rate for messages that have failed DMARC is close to 100%. Granted, this isn't really fastmail's fault as they are only doing what they're told to by the domains' DMARC policies.
So I've modified my sieve rules to ignore DMARC failures. The best way I could think to do this, was in the first sieve rules box (above the auto-generated spam rules) put:
Code:
if not header :contains ["X-Spam-hits"] ["ME_DMARC_REJECT", "ME_DMARC_QUARANTINE"] {
Fastmail's pre-filled spam rules are below that.
In the second box, after the spam rules, I put:
Code:
} else {
if header :contains ["X-Spam-hits"] ["ME_DMARC_QUARANTINE"] {
if header :value "ge" :comparator "i;ascii-numeric" "X-Spam-score" "13" {
fileinto "\\Junk";
stop;
}
}
if header :contains ["X-Spam-hits"] ["ME_DMARC_REJECT"] {
if header :value "ge" :comparator "i;ascii-numeric" "X-Spam-score" "20" {
fileinto "\\Junk";
stop;
}
}
}
This wraps fastmail's spam rules so they only get run if no DMARC rule was triggered. If a DMARC rule was triggered, and the policy was quarantine, it checks the message for a spam-score of 13, so the message needs a natural spam score of 5 in addition to the 8 added by the ME_DMARC_QUARANTINE rule. And if the rule is reject, same thing, except the threshold is 20 as the message needs a natural spam score of 5 in addition to the 15 added by ME_DMARC_REJECT.
**Case in point: Google was one of the co-conspirators who forced this upon the world, and yet the google.com domain has a p=reject policy, even though their employees use their @google.com address to post to mailing lists that break DKIM. John Levine of the IETF, and a contributor to RFC 7489, says "Reject policy is fine [...] for companies with firm staff policies that [...] employees don't join mailing lists and the like using company addresses".
If they can't get this right, who will?