[opendmarc-users] [Help] amazon false positive?

Sistemisti Posta sistemisti-posta at csi.it
Tue Apr 26 02:52:23 PDT 2016 

Hello,

  checking my log I found many mail from amazon.it which don't pass 
DMARC. Yesterday 33 mails from amazon.it pass DMARC, and 11 don't pass 
DMARC. A mail that doesn't pass DMARC is:

  <record>
   <row>
    <source_ip>54.240.0.145</source_ip>
    <count>1</count>
    <policy_evaluated>
     <disposition>none</disposition>
     <dkim>fail</dkim>
     <spf>fail</spf>
    </policy_evaluated>
   </row>
   <identifiers>
    <header_from>amazon.it</header_from>
   </identifiers>
   <auth_results>
    <spf>
     <domain>bounces.amazon.it</domain>
     <result>fail</result>
    </spf>
    <dkim>
     <domain>amazon.it</domain>
     <result>fail</result>
    </dkim>
    <dkim>
     <domain>amazonses.com</domain>
     <result>fail</result>
    </dkim>
   </auth_results>
  </record>

Both SPF and DKIM failed.

I checked with other tools as
http://mxtoolbox.com/SuperTool.aspx?action=spf%3abounces.amazon.it%3a54.240.0.145&run=toolpage

and they also seems to say that SPF doesn't pass.

My opendkim logs are:

2016-04-25T09:40:16.219590+02:00 postfix/smtpd[22207]: 3qtdRh1Y8wzFpVj:
client=a0-145.smtp-out.eu-west-1.amazonses.com[54.240.0.145]
2016-04-25T09:40:16.293430+02:00 postfix/cleanup[23624]:
3qtdRh1Y8wzFpVj:
message-id=<010201544c5c8f06-f72b0d0b-d4cd-4826-a1bf-8e688734dcf0-000000 at eu-west-1.amazonses.com>

2016-04-25T09:40:16.441767+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj:
a0-145.smtp-out.eu-west-1.amazonses.com [54.240.0.145] not internal
2016-04-25T09:40:16.441773+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj: not
authenticated
2016-04-25T09:40:16.447550+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj:
message has signatures from amazon.it, amazonses.com
2016-04-25T09:40:16.447777+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj: bad
signature data
2016-04-25T09:40:16.511127+02:00 opendmarc[13720]: 3qtdRh1Y8wzFpVj:
amazon.it fail

I was archiving this issue as an amazon.it issue, but I'm still check 
SPF and DKIM with Amavis, and when I retrieved the headers I saw:

Return-Path: 
<20160425074014030a9b69a6184b8680cc09c75350p0eu-C3S1XNCGG2J9BA at bounces.amazon.it>
[...]
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=4.5
         tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
         DSPAM_HAM_99=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7,
         RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
         T_REMOTE_IMAGE=0.01] autolearn=disabled
Received: from localhost ([127.0.0.1])
         by localhost (example.it [127.0.0.1]) (amavisd-new, port 10024)
         with LMTP id vvmYeH-TCJKl for <xxx.xxx at xxx.piemonte.it>;
         Mon, 25 Apr 2016 09:40:16 +0200 (CEST)
Received: from a0-145.smtp-out.eu-west-1.amazonses.com 
(a0-145.smtp-out.eu-west-1.amazonses.com [54.240.0.145])
         by example.it (MailFarm) with ESMTP id 3qtdRh1Y8wzFpVj
         for <xxx.xxx at xxx.piemonte.it>; Mon, 25 Apr 2016 09:40:16 +0200 
(CEST)
DMARC-Filter: OpenDMARC Filter v1.3.1 example.it 3qtdRh1Y8wzFpVj
Authentication-Results: example.it; dmarc=fail header.from=amazon.it
Authentication-Results: example.it; spf=fail 
smtp.mailfrom=20160425074014030a9b69a6184b8680cc09c75350p0eu-C3S1XNCGG2J9BA at bounces.amazon.it
DKIM-Filter: OpenDKIM Filter v2.10.3 example.it 3qtdRh1Y8wzFpVj
Authentication-Results: example.it;
         dkim=fail reason="signature verification failed" (1024-bit key) 
header.d=amazon.it header.i=@amazon.it header.b=V1ZgZYnG;
         dkim=fail reason="signature verification failed" (1024-bit key) 
header.d=amazonses.com header.i=@amazonses.com header.b=aSHkWdMg
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
         s=35pzb2tapqjxshkrupem4gpoke7mq3tm; d=amazon.it; t=1461570015;
         h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
         bh=kI6vgeAsl+YWEOBIdxBl4q+YDWpyeuzWOPHjytGdj10=;
         b=V1ZgZYnG+48qG+N9ThLo2V3QfpgjHsbwnnvlQ1AkhhWOOX1bgaRvCB1xpVpZRNtJ
         dEusnqn8pA5ITbQsfuJ+QefA6rD+faO9Fme31XavK6RoGalu1JkjifUpKFTcMV2fcLm
         Nw3EjVzhAPtakGKOMkk/7B1h7bGVxS5UD3bqyJlc=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
         s=ihchhvubuqgjsxyuhssfvqohv7z3u4hn; d=amazonses.com; t=1461570015;
 
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID;
         bh=kI6vgeAsl+YWEOBIdxBl4q+YDWpyeuzWOPHjytGdj10=;
         b=aSHkWdMg/+ko4RV57oE+oqiTQ0WMSGeEPoN3ysf4K3yN4c+9hs6EHWLK+CMkuPDr
         VAS/W0tcjak2RB1Gs446KX+f4RRd8Qf/r9MB2YIKa0NQewiTYoiIsy3ly5okuOZVT/r
         Y4LIg1oQk2tuUOHc97OBoR5CFxyVlYaNt1KypnIc=
Date: Mon, 25 Apr 2016 07:40:15 +0000
From: "Amazon.it" <promotion-it at amazon.it>
To:
[...]

So, for Amavis seems that both SPF and DKIM passed! I'm confused... 
could you help me to understand?

Thank you very much
Marco

More information about the opendmarc-users mailing list