[opendmarc-users] [Help] amazon false positive?
Sistemisti Posta
sistemisti-posta at csi.it
Tue Apr 26 02:52:23 PDT 2016
Hello,
checking my log I found many mail from amazon.it which don't pass
DMARC. Yesterday 33 mails from amazon.it pass DMARC, and 11 don't pass
DMARC. A mail that doesn't pass DMARC is:
<record>
<row>
<source_ip>54.240.0.145</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>amazon.it</header_from>
</identifiers>
<auth_results>
<spf>
<domain>bounces.amazon.it</domain>
<result>fail</result>
</spf>
<dkim>
<domain>amazon.it</domain>
<result>fail</result>
</dkim>
<dkim>
<domain>amazonses.com</domain>
<result>fail</result>
</dkim>
</auth_results>
</record>
Both SPF and DKIM failed.
I checked with other tools as
http://mxtoolbox.com/SuperTool.aspx?action=spf%3abounces.amazon.it%3a54.240.0.145&run=toolpage
and they also seems to say that SPF doesn't pass.
My opendkim logs are:
2016-04-25T09:40:16.219590+02:00 postfix/smtpd[22207]: 3qtdRh1Y8wzFpVj:
client=a0-145.smtp-out.eu-west-1.amazonses.com[54.240.0.145]
2016-04-25T09:40:16.293430+02:00 postfix/cleanup[23624]:
3qtdRh1Y8wzFpVj:
message-id=<010201544c5c8f06-f72b0d0b-d4cd-4826-a1bf-8e688734dcf0-000000 at eu-west-1.amazonses.com>
2016-04-25T09:40:16.441767+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj:
a0-145.smtp-out.eu-west-1.amazonses.com [54.240.0.145] not internal
2016-04-25T09:40:16.441773+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj: not
authenticated
2016-04-25T09:40:16.447550+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj:
message has signatures from amazon.it, amazonses.com
2016-04-25T09:40:16.447777+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj: bad
signature data
2016-04-25T09:40:16.511127+02:00 opendmarc[13720]: 3qtdRh1Y8wzFpVj:
amazon.it fail
I was archiving this issue as an amazon.it issue, but I'm still check
SPF and DKIM with Amavis, and when I retrieved the headers I saw:
Return-Path:
<20160425074014030a9b69a6184b8680cc09c75350p0eu-C3S1XNCGG2J9BA at bounces.amazon.it>
[...]
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=4.5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DSPAM_HAM_99=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7,
RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
T_REMOTE_IMAGE=0.01] autolearn=disabled
Received: from localhost ([127.0.0.1])
by localhost (example.it [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id vvmYeH-TCJKl for <xxx.xxx at xxx.piemonte.it>;
Mon, 25 Apr 2016 09:40:16 +0200 (CEST)
Received: from a0-145.smtp-out.eu-west-1.amazonses.com
(a0-145.smtp-out.eu-west-1.amazonses.com [54.240.0.145])
by example.it (MailFarm) with ESMTP id 3qtdRh1Y8wzFpVj
for <xxx.xxx at xxx.piemonte.it>; Mon, 25 Apr 2016 09:40:16 +0200
(CEST)
DMARC-Filter: OpenDMARC Filter v1.3.1 example.it 3qtdRh1Y8wzFpVj
Authentication-Results: example.it; dmarc=fail header.from=amazon.it
Authentication-Results: example.it; spf=fail
smtp.mailfrom=20160425074014030a9b69a6184b8680cc09c75350p0eu-C3S1XNCGG2J9BA at bounces.amazon.it
DKIM-Filter: OpenDKIM Filter v2.10.3 example.it 3qtdRh1Y8wzFpVj
Authentication-Results: example.it;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=amazon.it header.i=@amazon.it header.b=V1ZgZYnG;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=amazonses.com header.i=@amazonses.com header.b=aSHkWdMg
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=35pzb2tapqjxshkrupem4gpoke7mq3tm; d=amazon.it; t=1461570015;
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=kI6vgeAsl+YWEOBIdxBl4q+YDWpyeuzWOPHjytGdj10=;
b=V1ZgZYnG+48qG+N9ThLo2V3QfpgjHsbwnnvlQ1AkhhWOOX1bgaRvCB1xpVpZRNtJ
dEusnqn8pA5ITbQsfuJ+QefA6rD+faO9Fme31XavK6RoGalu1JkjifUpKFTcMV2fcLm
Nw3EjVzhAPtakGKOMkk/7B1h7bGVxS5UD3bqyJlc=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=ihchhvubuqgjsxyuhssfvqohv7z3u4hn; d=amazonses.com; t=1461570015;
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID;
bh=kI6vgeAsl+YWEOBIdxBl4q+YDWpyeuzWOPHjytGdj10=;
b=aSHkWdMg/+ko4RV57oE+oqiTQ0WMSGeEPoN3ysf4K3yN4c+9hs6EHWLK+CMkuPDr
VAS/W0tcjak2RB1Gs446KX+f4RRd8Qf/r9MB2YIKa0NQewiTYoiIsy3ly5okuOZVT/r
Y4LIg1oQk2tuUOHc97OBoR5CFxyVlYaNt1KypnIc=
Date: Mon, 25 Apr 2016 07:40:15 +0000
From: "Amazon.it" <promotion-it at amazon.it>
To:
[...]
So, for Amavis seems that both SPF and DKIM passed! I'm confused...
could you help me to understand?
Thank you very much
Marco
More information about the opendmarc-users
mailing list