[opendmarc-users] [Help] amazon false positive?
Petr Novák
novakp43 at gmail.com
Tue Apr 26 03:59:03 PDT 2016
Hello,
- SPF record for bounces.amazon.it is:
v=spf1 include:amazon.com -all
- amazon.com:
v=spf1 include:spf1.amazon.com include:spf2.amazon.com
include:amazonses.com -all
- amazonses.com:
v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 -all
IP 54.240.0.145 is in this rule "ip4:54.240.0.0/18" . So the result of
SPF check should be a "pass". You can also check it here:
http://www.kitterman.com/spf/validate.html or
http://vamsoft.com/support/tools/spf-policy-tester .
DMARC record of amazon.it doesnt specify aspf value, that means default
value is used which is relaxed. So the mailfrom(bounces.amazon.it) and
from(amazon.it) domains are "in alignment" and DMARC SPF check should
pass so DMARC should also pass.
So the question is why is your SPF result wrong. What SPF check do you use.
Those DKIM fails could mean that a header that was signed or email
content was modified before opendkim checked the signature. You should
check if anything checks the email before opendkim and could have
modified it. Or maybe the email was modified at the source after signing
who knows :).
Best regards
Petr Novak
Dne 26.4.2016 v 11:52 Sistemisti Posta napsal(a):
> Hello,
>
> checking my log I found many mail from amazon.it which don't pass
> DMARC. Yesterday 33 mails from amazon.it pass DMARC, and 11 don't pass
> DMARC. A mail that doesn't pass DMARC is:
>
> <record>
> <row>
> <source_ip>54.240.0.145</source_ip>
> <count>1</count>
> <policy_evaluated>
> <disposition>none</disposition>
> <dkim>fail</dkim>
> <spf>fail</spf>
> </policy_evaluated>
> </row>
> <identifiers>
> <header_from>amazon.it</header_from>
> </identifiers>
> <auth_results>
> <spf>
> <domain>bounces.amazon.it</domain>
> <result>fail</result>
> </spf>
> <dkim>
> <domain>amazon.it</domain>
> <result>fail</result>
> </dkim>
> <dkim>
> <domain>amazonses.com</domain>
> <result>fail</result>
> </dkim>
> </auth_results>
> </record>
>
> Both SPF and DKIM failed.
>
> I checked with other tools as
> http://mxtoolbox.com/SuperTool.aspx?action=spf%3abounces.amazon.it%3a54.240.0.145&run=toolpage
>
>
> and they also seems to say that SPF doesn't pass.
>
> My opendkim logs are:
>
> 2016-04-25T09:40:16.219590+02:00 postfix/smtpd[22207]: 3qtdRh1Y8wzFpVj:
> client=a0-145.smtp-out.eu-west-1.amazonses.com[54.240.0.145]
> 2016-04-25T09:40:16.293430+02:00 postfix/cleanup[23624]:
> 3qtdRh1Y8wzFpVj:
> message-id=<010201544c5c8f06-f72b0d0b-d4cd-4826-a1bf-8e688734dcf0-000000 at eu-west-1.amazonses.com>
>
>
> 2016-04-25T09:40:16.441767+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj:
> a0-145.smtp-out.eu-west-1.amazonses.com [54.240.0.145] not internal
> 2016-04-25T09:40:16.441773+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj: not
> authenticated
> 2016-04-25T09:40:16.447550+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj:
> message has signatures from amazon.it, amazonses.com
> 2016-04-25T09:40:16.447777+02:00 opendkim[31094]: 3qtdRh1Y8wzFpVj: bad
> signature data
> 2016-04-25T09:40:16.511127+02:00 opendmarc[13720]: 3qtdRh1Y8wzFpVj:
> amazon.it fail
>
> I was archiving this issue as an amazon.it issue, but I'm still check
> SPF and DKIM with Amavis, and when I retrieved the headers I saw:
>
> Return-Path:
> <20160425074014030a9b69a6184b8680cc09c75350p0eu-C3S1XNCGG2J9BA at bounces.amazon.it>
>
> [...]
> X-Spam-Status: No, score=-2.3 tagged_above=-999 required=4.5
> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
> DSPAM_HAM_99=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7,
> RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
> T_REMOTE_IMAGE=0.01] autolearn=disabled
> Received: from localhost ([127.0.0.1])
> by localhost (example.it [127.0.0.1]) (amavisd-new, port 10024)
> with LMTP id vvmYeH-TCJKl for <xxx.xxx at xxx.piemonte.it>;
> Mon, 25 Apr 2016 09:40:16 +0200 (CEST)
> Received: from a0-145.smtp-out.eu-west-1.amazonses.com
> (a0-145.smtp-out.eu-west-1.amazonses.com [54.240.0.145])
> by example.it (MailFarm) with ESMTP id 3qtdRh1Y8wzFpVj
> for <xxx.xxx at xxx.piemonte.it>; Mon, 25 Apr 2016 09:40:16 +0200
> (CEST)
> DMARC-Filter: OpenDMARC Filter v1.3.1 example.it 3qtdRh1Y8wzFpVj
> Authentication-Results: example.it; dmarc=fail header.from=amazon.it
> Authentication-Results: example.it; spf=fail
> smtp.mailfrom=20160425074014030a9b69a6184b8680cc09c75350p0eu-C3S1XNCGG2J9BA at bounces.amazon.it
>
> DKIM-Filter: OpenDKIM Filter v2.10.3 example.it 3qtdRh1Y8wzFpVj
> Authentication-Results: example.it;
> dkim=fail reason="signature verification failed" (1024-bit key)
> header.d=amazon.it header.i=@amazon.it header.b=V1ZgZYnG;
> dkim=fail reason="signature verification failed" (1024-bit key)
> header.d=amazonses.com header.i=@amazonses.com header.b=aSHkWdMg
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=35pzb2tapqjxshkrupem4gpoke7mq3tm; d=amazon.it; t=1461570015;
> h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
> bh=kI6vgeAsl+YWEOBIdxBl4q+YDWpyeuzWOPHjytGdj10=;
> b=V1ZgZYnG+48qG+N9ThLo2V3QfpgjHsbwnnvlQ1AkhhWOOX1bgaRvCB1xpVpZRNtJ
>
> dEusnqn8pA5ITbQsfuJ+QefA6rD+faO9Fme31XavK6RoGalu1JkjifUpKFTcMV2fcLm
> Nw3EjVzhAPtakGKOMkk/7B1h7bGVxS5UD3bqyJlc=
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=ihchhvubuqgjsxyuhssfvqohv7z3u4hn; d=amazonses.com; t=1461570015;
>
> h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID;
> bh=kI6vgeAsl+YWEOBIdxBl4q+YDWpyeuzWOPHjytGdj10=;
> b=aSHkWdMg/+ko4RV57oE+oqiTQ0WMSGeEPoN3ysf4K3yN4c+9hs6EHWLK+CMkuPDr
>
> VAS/W0tcjak2RB1Gs446KX+f4RRd8Qf/r9MB2YIKa0NQewiTYoiIsy3ly5okuOZVT/r
> Y4LIg1oQk2tuUOHc97OBoR5CFxyVlYaNt1KypnIc=
> Date: Mon, 25 Apr 2016 07:40:15 +0000
> From: "Amazon.it" <promotion-it at amazon.it>
> To:
> [...]
>
> So, for Amavis seems that both SPF and DKIM passed! I'm confused...
> could you help me to understand?
>
> Thank you very much
> Marco
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
More information about the opendmarc-users
mailing list