[opendmarc-users] subdomain policy is not respected

Robert Chalmers robert at chalmers.com.au
Mon Jan 25 06:55:48 PST 2016 


It may depend on the p tag, according to the docs. Note the underlined section. 

Quote:
Only the v (version) and p (policy) tags are required. Three possible policy settings, or message dispositions, are available:

none - Take no action. Log affected messages on the daily report only.
quarantine - Mark affected messages as spam.
reject - Cancel the message at the SMTP layer.
Alignment mode refers to the precision with which sender records are compared to SPF and DKIM signatures, with the two possible values being relaxed or strict. represented by "r" and "s" respectively. In short, relaxed allows partial matches, such as subdomains of a given domain, while strict requires an exact match.

Make sure to include your email address with the optional rua tag to receive the daily reports.




> On 25 Jan 2016, at 13:41, Petr Novák <novakp43 at gmail.com> wrote:
> 
> Hello,
> 
> I have a problem with opendmarc not respecting subdomain "none" policy (sp=none).
> 
> Here is an example.
> 
> DMARC record: (v=DMARC1; p=reject; sp=none; fo=1; rua=mailto:admin at prnk.cz; ruf=mailto:admin at prnk.cz)
> 
> [root at prnk opendmarc]# opendmarc-check prnk.cz
> DMARC record for prnk.cz:
>        Sample percentage: 100
>        DKIM alignment: relaxed
>        SPF alignment: relaxed
>        Domain policy: reject
>        Subdomain policy: none
>        Aggregate report URIs:
>                mailto:admin at prnk.cz
>        Forensic report URIs:
>                mailto:admin at prnk.cz
> 
> I have created this simple mail to test the behaviour:
> *****
> [root at prnk opendmarc]# cat 3
> Received-SPF: fail (prnk.cz: domain of prnk at prnk.cz does not designate 46.30.238.4 as permitted sender) client-ip=46.30.238.4;
> To: undisclosed-recipients:;
> From: prnk at something.prnk.cz
> Message-Id: <20160125113532.84CD810B55B5 at prnk.prnk.cz>
> Date: Mon, 25 Jan 2016 12:35:24 +0100 (CET)
> 
> tets
> test
> .
> *****
> 
> Now when I send the mail to opendmarc it gets rejected even when subdomain policy is "none" and domain in "From:" header is "something.prnk.cz".
> 
> [root at prnk opendmarc]# opendmarc -c /root/opendmarc/opendmarc.conf -t 3 -vv
> opendmarc: mlfi_connect() returned SMFIS_CONTINUE
> opendmarc: mlfi_helo() returned SMFIS_CONTINUE
> opendmarc: 3: mlfi_envfrom() returned SMFIS_CONTINUE
> opendmarc: 3: line 1: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: 3: line 2: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: 3: line 3: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: 3: line 4: mlfi_header() returned SMFIS_CONTINUE
> opendmarc: 3: line 5: mlfi_header() returned SMFIS_CONTINUE
> ### SETREPLY: rcode='550' xcode='5.7.1' replytxt='rejected by DMARC policy for prnk.cz'
> ### INSHEADER: idx=1 hname='DMARC-Filter' hvalue='OpenDMARC Filter v1.3.1 DEBUG-j DEBUG-i'
> opendmarc: 3: mlfi_eom() returned SMFIS_REJECT
> opendmarc: mlfi_close() returned SMFIS_CONTINUE
> 
> History file:
> 
> job DEBUG-i
> reporter DEBUG-j
> received 1453728517
> ipaddr 127.0.0.1
> from something.prnk.cz
> mfrom prnk.cz
> spf 2
> pdomain prnk.cz
> policy 16
> rua mailto:admin at prnk.cz
> pct 100
> adkim 114
> aspf 114
> p 114
> sp 110
> align_dkim 5
> align_spf 5
> action 0
> 
> 
> I think such mail should be accepted, because the subdomain policy is set to "none" or am I wrong?
> 
> When I try sending the same mail to my email @gmail.com It doesnt get rejected for the subdomain.
> 
> 
> Petr Novak
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

Robert Chalmers
robert at chalmers.com <mailto:robert at chalmers.com>.au  Quantum Radio: http://tinyurl.com/lwwddov
Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of - 
Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20160125/911dfe62/attachment.htm>

More information about the opendmarc-users mailing list