[opendmarc-users] subdomain policy is not respected

Petr Novák novakp43 at gmail.com
Mon Jan 25 07:59:43 PST 2016 

I dont think this is relevant to the subdomain policy.

Alignment mode for SPF/DKIM only refers to how strict SPF/DKIM checks 
are, but in my example they both fail anyway and DMARC check also fails. 
But the mail with (p=reject;sp=none) should be rejected only for the 
Organisational Name (prnk.cz) but not for its subdomains 
(something.prnk.cz).

When subdomain policy "sp" is not present then it will default to the 
"p" policy. But if "sp" is specified then mail which has any subdomain 
in "From:" header should be handled by "sp" policy. Otherwise setting up 
subdomain policy "sp" would be useless.

At least thats what I think :).

Dne 25.1.2016 v 15:55 Robert Chalmers napsal(a):
>
>
> It may depend on the p tag, according to the docs. Note the underlined
> section.
>
> Quote:
>
> Only the /v (version)/ and /p (policy)/ tags are required. Three
> possible policy settings, or message dispositions, are available:
>
>   * *none* - Take no action. Log affected messages on the daily report only.
>   * *quarantine* - Mark affected messages as spam.
>   * *reject* - Cancel the message at the SMTP layer.
>
> Alignment mode refers to the precision with which sender records are
> compared to SPF and DKIM signatures, with the two possible values being
> relaxed or strict. represented by "r" and "s" respectively. _In short,
> relaxed allows partial matches, such as subdomains of a given domain,
> while strict requires an exact match_.
>
> Make sure to include your email address with the optional rua tag to
> receive the daily reports.
>
>
>
>
>> On 25 Jan 2016, at 13:41, Petr Novák <novakp43 at gmail.com
>> <mailto:novakp43 at gmail.com>> wrote:
>>
>> Hello,
>>
>> I have a problem with opendmarc not respecting subdomain "none" policy
>> (sp=none).
>>
>> Here is an example.
>>
>> DMARC record: (v=DMARC1; p=reject; sp=none; fo=1;
>> rua=mailto:admin at prnk.cz; ruf=mailto:admin at prnk.cz)
>>
>> [root at prnk opendmarc]# opendmarc-check prnk.cz
>> DMARC record for prnk.cz:
>>        Sample percentage: 100
>>        DKIM alignment: relaxed
>>        SPF alignment: relaxed
>>        Domain policy: reject
>>        Subdomain policy: none
>>        Aggregate report URIs:
>> mailto:admin at prnk.cz
>>        Forensic report URIs:
>> mailto:admin at prnk.cz
>>
>> I have created this simple mail to test the behaviour:
>> *****
>> [root at prnk opendmarc]# cat 3
>> Received-SPF: fail (prnk.cz: domain of prnk at prnk.cz
>> <mailto:prnk at prnk.cz> does not designate 46.30.238.4 as permitted
>> sender) client-ip=46.30.238.4;
>> To: undisclosed-recipients:;
>> From: prnk at something.prnk.cz <mailto:prnk at something.prnk.cz>
>> Message-Id: <20160125113532.84CD810B55B5 at prnk.prnk.cz
>> <mailto:20160125113532.84CD810B55B5 at prnk.prnk.cz>>
>> Date: Mon, 25 Jan 2016 12:35:24 +0100 (CET)
>>
>> tets
>> test
>> .
>> *****
>>
>> Now when I send the mail to opendmarc it gets rejected even when
>> subdomain policy is "none" and domain in "From:" header is
>> "something.prnk.cz".
>>
>> [root at prnk opendmarc]# opendmarc -c /root/opendmarc/opendmarc.conf -t
>> 3 -vv
>> opendmarc: mlfi_connect() returned SMFIS_CONTINUE
>> opendmarc: mlfi_helo() returned SMFIS_CONTINUE
>> opendmarc: 3: mlfi_envfrom() returned SMFIS_CONTINUE
>> opendmarc: 3: line 1: mlfi_header() returned SMFIS_CONTINUE
>> opendmarc: 3: line 2: mlfi_header() returned SMFIS_CONTINUE
>> opendmarc: 3: line 3: mlfi_header() returned SMFIS_CONTINUE
>> opendmarc: 3: line 4: mlfi_header() returned SMFIS_CONTINUE
>> opendmarc: 3: line 5: mlfi_header() returned SMFIS_CONTINUE
>> ### SETREPLY: rcode='550' xcode='5.7.1' replytxt='rejected by DMARC
>> policy for prnk.cz'
>> ### INSHEADER: idx=1 hname='DMARC-Filter' hvalue='OpenDMARC Filter
>> v1.3.1 DEBUG-j DEBUG-i'
>> opendmarc: 3: mlfi_eom() returned SMFIS_REJECT
>> opendmarc: mlfi_close() returned SMFIS_CONTINUE
>>
>> History file:
>>
>> job DEBUG-i
>> reporter DEBUG-j
>> received 1453728517
>> ipaddr 127.0.0.1
>> from something.prnk.cz
>> mfrom prnk.cz
>> spf 2
>> pdomain prnk.cz
>> policy 16
>> rua mailto:admin at prnk.cz
>> pct 100
>> adkim 114
>> aspf 114
>> p 114
>> sp 110
>> align_dkim 5
>> align_spf 5
>> action 0
>>
>>
>> I think such mail should be accepted, because the subdomain policy is
>> set to "none" or am I wrong?
>>
>> When I try sending the same mail to my email @gmail.com
>> <http://gmail.com> It doesnt get rejected for the subdomain.
>>
>>
>> Petr Novak
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.org
>> <mailto:opendmarc-users at trusteddomain.org>
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
> Robert Chalmers
> robert at chalmers.com <mailto:robert at chalmers.com>.au  Quantum Radio:
> http://tinyurl.com/lwwddov
> Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan
> 10.11. 2TB Storage made up of -
> Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB.
> Lower Bay
>
>
>

More information about the opendmarc-users mailing list