[opendmarc-users] troubleshooting an opendmarc 1.3.1 auth failure?

Juri Haberland juri at sapienti-sat.org
Tue May 10 07:23:14 PDT 2016


jasonsu at mail-central.com wrote:

> TBH, I don't understand yet why that's a problem when there are different
> smtpd instances -- one doing the SPF check, one doing the DKIM check, and one
> doing the DMARC check.  I thought that in that case the message simply gets
> checked, then passed along.
>
> Local relay/delivery happens after all my checks, and again has its own smtpd
> instance.  It clearly gets the complete message for delivery ... as the whole
> message gets delivered.

Are you talking about two complete different Postfix instances or just
different listeners of one Postfix instance? With complete independent Postfix
instances there should not be this problem given that one instance runs the
milters and the other one the content filter.

> What am I missing here?

The reason for this limitation can only be explained by Wietse Venema (and
maybe Victor Duchovni) - you need to ask this on the postfix-users ML.

> Also, in my OP, that's just one example of a fail.  non-spam mail reports
> successful delivery
>
> Here, for example, are headers from a subsequent, successful, non-spam
> message.  As you can see, spf, dkim, and dmarc checks all appear to be
> completed, and content is spam-scored

> 	DMARC-Filter: OpenDMARC Filter v1.3.1 mail.example.com 2d7l8g9gTLd4bbf
> 	Authentication-Results: dmarc.mail.example.com/2d7l8g9gTLd4bbf; dmarc=none
> header.from=e.hertzusa.brierleycrm.com

This domain does not have a DMARC record (according to
https://dmarcian.com/dmarc-inspector/e.hertzusa.brierleycrm.com) hence
"dmarc=none".
Have a look at the history file to see what the OpenDMARC milter really
thought about SPF and DKIM for that domain.

Cheers,
  Juri




More information about the opendmarc-users mailing list