[opendmarc-users] Can I tell why a specific message failed?

Dan Mahoney, System Admin danm at prime.gushi.org
Tue Aug 26 12:24:09 PDT 2014


On Tue, 26 Aug 2014, Benny Pedersen wrote:

> On 26. aug. 2014 18.01.05 "Dan Mahoney, System Admin" <danm at prime.gushi.org> 
> wrote:
>
>> Those zones aren't signed, and I don't think I've seen any requirement in
>> the spec, or the FAQ, or anywhere else that says DNSSEC is mandatory.
>
> I have no rfc at hand here, but i changed from org tld to eu tld to solve it 
> for my problem at org tld

The only mention of DNSSEC (other than the references) in the RFC is 17.3:

The DMARC mechanism and its underlying technologies (SPF, DKIM)
    depend on the security of the DNS.  To reduce the risk of subversion
    of the DMARC mechanism due to DNS-based exploits, serious
    consideration should be given to the deployment of DNSSEC in parallel
    to the deployment of DMARC by both Domain Owners and Mail Receivers.

Which is little more than an advisory.  That's not it.  There's 
no way in the spec for either SPF or DKIM to require that a key be 
validated via DNSSEC only.

What it *might* be is that I've got two DKIM signatures present -- and 
that I only did the DKIM validation on the amazonses.com domain, and not 
the amazon.com domain.  And of course, amazon.com is the sender domain, 
and the one publishing the dmarc record.

I note that in recent versions of openDKIM there's an option to process 
ALL signatures, and not just the last one.  I'm going to try turning this 
on.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



More information about the opendmarc-users mailing list