Why does SpamAssassin give positive score for DMARC reject and MIME_NO_TEXT or LONG_INVISIBLE_TEXT?

Key findings

• Default scoring: The default DMARC_REJECT rule in SpamAssassin assigns a minimal positive score of 0.001 for non-bayesian scoring, serving primarily as a flag that a DMARC reject policy was encountered, not necessarily indicating a problem.
• Custom rules: Many web hosts and email services implement custom SpamAssassin rule sets that can override or modify default behaviors, potentially leading to higher scores for DMARC_REJECT when underlying authentication, such as DKIM, fails. This is often seen with KAM_ prefixed rules.
• Invisible text detection: Rules like MIME_NO_TEXT or LONG_INVISIBLE_TEXT are triggered by specific HTML attributes, such as font sizes or colors that render text effectively invisible. This can occur even if no malicious intent exists, for example, in MJML emails.
• Email forwarding impact: Forwarding emails through a gateway can distort authentication results and lead to inaccurate SpamAssassin scores, making it appear as though there are DMARC or other issues when there aren't actual deliverability problems for the end recipient.

Key considerations

• Rule interpretation: Understanding SpamAssassin's scoring requires delving into its complex rule sets, which are not always well-documented. Many rules can be inspected by reviewing local configuration files (e.g., local.cf), as mentioned on ServerFault regarding DMARC configuration.
• Debugging invisible text: For issues like MIME_NO_TEXT or LONG_INVISIBLE_TEXT, examine the email's HTML and CSS for elements that might render text with zero size or matching background colors. Review the FONT_INVIS_MSGIDrule for insights into detection mechanisms.
• Accurate testing: To get precise SpamAssassin scores, emails should be tested directly without any intermediate forwarding that could alter headers or content, impacting DMARC or MIME checks.
• DMARC policy understanding: While a p=reject DMARC policy is best practice for security, it can sometimes be misinterpreted by older or highly customized SpamAssassin installations if not aligned with other authentication. Explore why DMARC authentication can fail.

Key opinions

• Confusing DMARC scores: Many marketers find it confusing when SpamAssassin assigns positive spam scores (indicating higher spam likelihood) for a strict DMARC reject policy, as this goes against the intended security benefits.
• Invisible text issues: Marketers report receiving penalties for MIME_NO_TEXT or LONG_INVISIBLE_TEXT even when no visible hidden text is present in their HTML, particularly with certain email frameworks like MJML.
• Impact of custom rules: Some marketers suspect that custom SpamAssassin rules implemented by their web hosts or email service providers are responsible for unusual scoring, as these can deviate from standard behaviors.
• Testing tool inaccuracies: Marketers note that authentication scores reported by testing tools might be skewed or inaccurate if emails are forwarded through a gateway before being analyzed by SpamAssassin, leading to false positives.

Key considerations

• Verify DMARC alignment: Even with a p=reject policy, ensuring proper SPF and DKIM alignment is crucial to prevent SpamAssassin from assigning unintended scores, as a failed underlying check with a reject policy can trigger rules like KAM_DMARC_REJECT. Learn more about DMARC alignment.
• Inspect HTML structure: To avoid MIME_NO_TEXT or LONG_INVISIBLE_TEXT penalties, marketers should scrutinize their email templates for any styling (e.g., CSS with display: none, very small font sizes, or colors matching backgrounds) that could inadvertently hide text. A common source of this issue is described in this GitHub discussion about MJML.
• Direct testing methods: For the most reliable SpamAssassin scores, marketers should use testing methods that send emails directly to the SpamAssassin instance without any intermediate relays or forwarding services. This ensures that headers and authentication results are not altered.
• Understanding local configurations: If a web host uses SpamAssassin, it's beneficial to inquire about any custom rules or weightings they have applied, as these can significantly impact how your emails are scored, even if standard DMARC, SPF, and DKIM are correctly configured. Our guide on SpamAssassin rules provides more detail.

Key opinions

• Default DMARC scoring: Experts clarify that the standard DMARC_REJECT rule in SpamAssassin often has a very low positive score, simply to record the presence of a reject policy, not necessarily to flag spam.
• Configuration overrides: Many SpamAssassin installations use custom rule sets (e.g., KAM_ prefixed rules) that can alter the weighting or behavior of standard DMARC checks, leading to scores that deviate from expectations.
• Invisible text triggers: Rules for invisible text, such as MIME_NO_TEXT or LONG_INVISIBLE_TEXT, are often triggered by specific HTML elements, font sizes, or color choices that render text indiscernible to human eyes.
• Debugging complexity: Diagnosing SpamAssassin scores can be challenging due to outdated documentation and the need to analyze complex configuration files, often requiring expertise in scripting languages like Perl.

Key considerations

• Direct mail flow: For accurate SpamAssassin analysis, experts advise sending emails directly to the SpamAssassin instance without any intervening gateways or forwarding services that could modify email headers or content and affect authentication results.
• Rule regex investigation: To pinpoint the exact reason for invisible text penalties, it's essential to examine the regular expressions (regex) within the SpamAssassin rules. These often target specific HTML attributes or patterns related to font styling or color, as discussed in the context of SpamAssassin's FONT_INVIS_MSGID rule.
• Limited documentation: Be aware that the official SpamAssassin wiki is largely outdated, making direct consultation of configuration files the most reliable method for understanding rule logic.
• Spam score context: Remember that SpamAssassin scores are just one component of overall deliverability. A high score from one particular rule (like DMARC_REJECT at a low value) may not indicate a serious issue if other deliverability metrics are strong and the email ultimately reaches the inbox. More context on how SpamAssassin scores affect deliverability is available.

Key findings

• DMARC rule definition: Documentation confirms that rules like DMARC_REJECT are part of SpamAssassin's standard rule set, designed to flag when a DMARC policy of reject is present and other conditions are met.
• Invisible text logic: Rules such as MIME_NO_TEXT and LONG_INVISIBLE_TEXT are typically based on detecting HTML or MIME structures that render text invisible to the recipient, regardless of intent. This often involves checking for specific CSS properties or font handling.
• Configurability: SpamAssassin's design allows for extensive customization through configuration files like local.cf, enabling administrators to adjust rule scores or add entirely new rules based on specific needs or observed spam patterns. For instance, configuring custom rules for DMARC failures is a documented possibility on ServerFault.
• Rule evolution: SpamAssassin's rule sets evolve, and older rules or their associated scores might not perfectly align with modern email authentication best practices or rendering techniques, leading to potential false positives for legitimate mail.

Key considerations

• Review rule definitions: To understand a specific score, consult the relevant SpamAssassin rule definitions. These often contain the regular expressions and logic that trigger the score, providing direct insight into what the filter is detecting.
• HTML rendering standards: When designing emails, adhere to robust HTML and CSS best practices to minimize the risk of invisible text penalties. Avoid using obscure or highly unusual styling that could be flagged. Issues with hidden text can occur with various email frameworks, as illustrated in GitHub discussions about MJML.
• DMARC policy nuances: While a p=reject DMARC policy is strong, understanding how it interacts with different filtering systems is key. Reviewing DMARC tags and their meanings can help clarify policy interpretation.
• Stay updated: Although SpamAssassin's core documentation may be limited, staying informed about broader email deliverability best practices and common spam filter triggers can help mitigate issues. Consider factors beyond just DMARC, SPF, and DKIM when troubleshooting why emails go to spam.