[opendmarc-dev] possible bug in opendmarc

Andreas Schulze sca at andreasschulze.de
Fri Jan 24 02:59:07 PST 2014 

Hello,

in July 2013 I came up with message from <newsletter at  
service3.zalando-lounge.de>.
These message fail the DMARC test but google for example let them pass.
see http://www.dmarc.org/pipermail/dmarc-discuss/2013-July/002048.html

As the issue remain unsolved I now have to deal with the same problem again.
I think, it's an issue in opendmarc. I was able to simplify message  
and config to bare minimum:

---- messagefile --
Return-Path: <random_id at e3.emarsys.net>
Authentication-Results: mail.example.org;
         dkim=pass header.d=service3.zalando-lounge.de  
header.i=newsletter at service3.zalando-lounge.de header.b=foobar
Authentication-Results: mail.example.org;
         spf=pass smtp.mailfrom=<random_id at e3.emarsys.net>  
smtp.helo=pmta43120.emarsys.net
From: <newsletter at service3.zalando-lounge.de>
Date: Fri, 24 Jan 2014 05:08:06 +0100

messagebody
----

---- opendmarc.conf --
AuthservID     mail.example.org
RejectFailures yes
----

$ opendmarc -c opendmarc.conf -t messagefile -vv
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: messagefile: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: messagefile: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 4: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 6: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 7: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results'  
hvalue='mail.example.org; dmarc=pass  
header.from=service3.zalando-lounge.de'
opendmarc: messagefile: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

-.> dmarc=pass, message accepted -> FINE :-)

But I usually load the publicsuffixlist from http://publicsuffix.org/

$ wget -q http://publicsuffix.org/list/effective_tld_names.dat
$ echo 'PublicSuffixList /path/to/effective_tld_names.dat' >> opendmarc.conf

Now it looks different:

$ opendmarc -c opendmarc.conf -t messagefile -vv
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: messagefile: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: messagefile: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 4: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 6: mlfi_header() returned SMFIS_CONTINUE
opendmarc: messagefile: line 7: mlfi_header() returned SMFIS_CONTINUE
### SETREPLY: rcode='550' xcode='5.7.1' replytxt='rejected by DMARC  
policy for service3.zalando-lounge.de'
opendmarc: messagefile: mlfi_eom() returned SMFIS_REJECT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

-> DMARC fail, message is rejected.

As someone found in July, there is no DMARC record for  
zalando-lounge.de but only for service3.zalando-lounge.de
see https://dmarcian.com/dmarc-inspector/service3.zalando-lounge.de

I know a batch of other domains behaving the same manner:
  - infoservice.sky.de
  - reply.dashoefer.de
  - reply.deutschlandcard.de
  - reply.hoerhelfer.de
  - emailnews.friendscout24.de

Most of them are operated by emarsys-eMarketing, but also other.
Common to all of them: the SLD do not provide a DMARC record. Only the  
subdomain do.
DMARC test fail if PublicSuffixList is active.

I hope this detailed information help to identify and hopefully fix  
the problem.

Thanks
Andreas

More information about the opendmarc-dev mailing list