[opendmarc-users] Implementation and Testing - Domains are Failing that shouldn't

Nic Bernstein nic at onlight.com
Mon Aug 26 06:48:39 PDT 2013 

On 08/26/2013 01:17 AM, Birta Levente wrote:
> On 24/08/2013 18:51, Mark D. Montgomery II wrote:
>> I'm trying to start my implementation of DMARC checking for incoming
>> mail and am not sure everything is quite right.
>>
>> When mail comes in it seems to pass through SPF and DKIM properly.
>> It appears to be passing through opendmarc properly as well, but I'm
>> having a couple issues.
>>
>> 1.  The SoftwareHeader is missing (I noticed this seems to be a known
>> issue from looking at the last couple months of list archives).
>> 2.  Domains that it seems SHOULD be actually passing DMARC are failing -
>> amazon, twitter, etc., so I'm not sure if something is wrong with my
>> implementation or what.
>>
>> Any help is appreciated.
>>
>> Thanks.
>>
>> Mark II
>>
>>
>>
>> Postfix Configuration:
>>
>> main.cf
>> #8891 = OpenDKIM
>> #8893 = OpenDMARC
>> smtpd_milters     = inet:localhost:8891
>>                      inet:localhost:8893
>> non_smtpd_milters = inet:localhost:8891
>>                      inet:localhost:8893
>> master.cf
>> policyd-spf  unix  -       n       n       -       0       spawn
>>                     user=nobody argv=/usr/bin/policyd-spf
>>
>>
>> Amazon Email Headers:
>>
>> Return-Path:
>> <20130823170937173cfcb1ddc9407fbe60a5a241c24219-C2A29PYAN0232S at bounces.amazon.com>
>>
>>
>> X-Original-To: techiem2 at techiem2.net
>> Delivered-To: techiem2 at techiem2.net
>> Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
>> client-ip=54.240.15.191; helo=a15-191.smtp-out.amazonses.com;
>> envelope-from=20130823170937173cfcb1ddc9407fbe60a5a241c24219-c2a29pyan0232s at bounces.amazon.com;
>>
>> receiver=techiem2 at techiem2.net
>> Authentication-Results: li235-115; dmarc=fail header.from=amazon.com
>> Received: from a15-191.smtp-out.amazonses.com
>> (a15-191.smtp-out.amazonses.com [54.240.15.191])
>>      by techiem2.net (Postfix) with ESMTP id 70C1374CD5
>>      for <techiem2 at techiem2.net>; Fri, 23 Aug 2013 13:09:38 -0400 (EDT)
>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
>>      s=taugkdi5ljtmsua4uibbmo5mda3r2q3v; d=amazon.com; t=1377277777;
>>      h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
>>      bh=Z+5fRLeDIYUS7TpEC8TNHt6Qriv3tFzQ45ltZgp6zNM=;
>>      b=JftSasOAwESBqlPYCpinkqh6sKgGEFu+CljDdWgrJhUBGThRaF5Q2sF4Oi3Tm7lH
>>      pMfLrNEJuivTYAiU7Rg92vnvpXJRkLi69nIR/pxHU8/nQcUhKpsrByT9ybbTqZPWY0T
>>      PLYqWr5CG/z34MHKNucHXbiGUnqYZYr+ZS59wodg=
>> Date: Fri, 23 Aug 2013 17:09:37 +0000
>> From: "Amazon.com" <store-news at amazon.com>
>> To: "techiem2 at techiem2.net" <techiem2 at techiem2.net>
>> Message-ID:
>> <00000140ac27163f-ecf29020-5b53-4be1-8264-82adbe79e45e-000000 at email.amazonses.com>
>>
>>
>
> Authentication-Results header from SPF and DKIM checking is missing.
> So I guess thats why dmarc fail.
> DMARC is decided based on SPF and DKIM Authentication-Results header.

Actually, the Received-SPF header is present, and opendmarc since at
least version 0.2.0 (relased 2012/08/24) will recognize and use that. 
However, as has recently been discussed on the list, there seems to be
problems with opendmarc and SPF processing in general, as is reflected
in an SPF value of -1 in the history file, as the original poster included:
> job 7AF6975A80
> reporter techiem2.net
> received 1377316379
> ipaddr 72.21.212.36
> from amazon.com
> mfrom bounces.amazon.com
> spf -1
> pdomain amazon.com
> policy 17
> rua mailto:dmarc-reports at bounces.amazon.com
> pct 100
> adkim 114
> aspf 114
> p 113
> sp 0
> align_dkim 5
> align_spf 5
> action 2 

The other problem here is that there is no header from opendkim, so with
broken SPF processing, and no DKIM, there is nothing left for opendmarc
to go on.

Mark, in your original note you said, "When mail comes in it seems to
pass through SPF and DKIM properly," but that's not the case, as there's
no header from opendkim.  You should check to see why opendkim is not
producing a header.  You may want to play with the debugging options for
that to see what's going on.

Also, you have opendmarc in your non_smtpd_milters.  That's most likely
unnecessary, as that path is used by mail submitted locally (via
submission port 587 or local queuing).  It does make sense to have
opendkim there, but only if you're using it to sign outgoing mail.

Cheers,
    -nic

-- 
Nic Bernstein                             nic at onlight.com
Onlight, Inc.                             www.onlight.com
219 N. Milwaukee St., Suite 2a            v. 414.272.4477
Milwaukee, Wisconsin  53202

More information about the opendmarc-users mailing list