[opendmarc-users] spf pass which I can't understand

Sistemisti Posta sistemisti-posta at csi.it
Thu Dec 31 00:18:41 PST 2015


Hello opendmarc user,

  I have a question about an spf pass that it shouldn't pass.

I sent a mail not DKIM signed with a server not allowed by SPF policy. 
In particular I sent a mail with the envelope from <marco at libero.it>, 
using an MSA that is not allowed by libero.it policy:

libero.it descriptive text "v=spf1 ip4:212.48.25.128/25 
ip4:212.48.14.160/27 include:srs.bis.na.blackberry.com 
include:srs.bis.eu.blackberry.com include:srs.bis.ap.blackberry.com 
include:mail.zendesk.com -all"

So, if I well understand, the spf check would fail.

opendmarc is configured to make its own spf check (libspf2):

  ldd /usr/sbin/opendmarc
         linux-vdso.so.1 =>  (0x00007fff32fbc000)
         libopendmarc.so.2 => /lib64/libopendmarc.so.2 (0x00007f2424b1c000)
         libmilter.so.1.0 => /lib64/libmilter.so.1.0 (0x00007f242490b000)
         libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f24246f0000)
         libspf2.so.2 => /lib64/libspf2.so.2 (0x00007f24244d4000)
         libbsd.so.0 => /lib64/libbsd.so.0 (0x00007f24242c5000)
         librt.so.1 => /lib64/librt.so.1 (0x00007f24240bc000)
         libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2423ea0000)
         libc.so.6 => /lib64/libc.so.6 (0x00007f2423adf000)
         libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f24238c5000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f2424d36000)

opendmarc.conf:
AuthservID HOSTNAME
SPFIgnoreResults true
SPFSelfValidate true

hostname is "04mx.example.com".
The mail I receive is:

Return-Path: <marco at libero.it>
Received: from 04mx.example.com (04mx.example.com [x.x.x.86])
	 by ucstore.example.com (Cyrus v2.4.17-Invoca-RPM-2.4.17-6.el6) with LMTPA;
	 Thu, 31 Dec 2015 08:48:04 +0100
X-Sieve: CMU Sieve 2.4
Received: from localhost (localhost [127.0.0.1])
	by 04mx.example.com (MailFarm) with ESMTP id 3pWM6D1dNjzFpVl
	for <marco at example.com>; Thu, 31 Dec 2015 08:48:04 +0100 (CET)
X-Virus-Scanned: amavisd-new at example.com
X-Spam-Flag: NO
X-Spam-Score: 1.696
X-Spam-Level: *
X-Spam-Status: No, score=1.696 tagged_above=-999 required=4.5
	tests=[BODY_SINGLE_WORD=0.001, DSPAM_HAM_99=-0.5, FREEMAIL_FROM=0.001,
	RDNS_NONE=1.274, SPF_FAIL=0.919, TVD_SPACE_RATIO=0.001]
	autolearn=disabled
Received: from localhost ([127.0.0.1])
	by localhost (04mx.example.com [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 4vah2SkDixO0 for <marco at example.com>;
	Thu, 31 Dec 2015 08:48:03 +0100 (CET)
Received: from msa.example.com (unknown [x.x.x.55])
	by 04mx.example.com (MailFarm) with ESMTP id 3pWM6C04hwzFpVj
	for <marco at example.com>; Thu, 31 Dec 2015 08:48:02 +0100 (CET)
DMARC-Filter: OpenDMARC Filter v1.3.1 04mx.example.com 3pWM6C04hwzFpVj
Authentication-Results: 04mx.example.com; dmarc=fail header.from=libero.it
Authentication-Results: 04mx.example.com; spf=pass 
smtp.mailfrom=marco at libero.it
DKIM-Filter: OpenDKIM Filter v2.10.3 04mx.example.com 3pWM6C04hwzFpVj
Received: from [x.x.x.13] (client.example.com [x.x.x.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by msa.example.com (MailFarm) with ESMTPSA id 3pWM6B69pfzBrKb
	for <marco at example.com>; Thu, 31 Dec 2015 08:48:02 +0100 (CET)
To: Marco <marco at example.com>
From: Marco <marco at libero.it>
...


This mail should fail SPF check, but "Authentication-Results" says it 
passes. In log I only see:

2015-12-31T08:48:03.092716+01:00 04mx opendmarc[23762]: implicit 
authentication service: 04mx.example.com 


2015-12-31T08:48:03.198839+01:00 04mx opendmarc[23762]: 3pWM6C04hwzFpVj: 
libero.it fail

the dat file says:
job 3pWM6C04hwzFpVj
reporter 04mx.example.com
received 1451548083
ipaddr x.x.x.55
from libero.it
mfrom libero.it
spf 0
pdomain libero.it
policy 17
rua mailto:dmarc_agg_rep at libero.it
pct 100
adkim 114
aspf 114
p 113
sp 0
align_dkim 5
align_spf 5
action 2

"spf 0" means that spf check passes, but after it fails the DKIM and SPF 
alignment. I believed to find an spf check failed, but aligned, because 
envelope from and header from are the same.

Could you explain me how to understand this behavior?

Thank you very much
Happy new year
Marco


More information about the opendmarc-users mailing list