[opendmarc-users] Unexplainable dmarc=none instead of dmarc=fails as authentication result

Stefan Tittel stefan at tittel.net
Mon Oct 17 16:56:15 PDT 2016


Hello,

I deployed OpenDMARC on Debian Jessie using the 1.3.1 package from 
jessie-backports. My MTA is Postfix, DKIM headers are written by 
OpenDKIM and SPF headers are written by python-policyd-spf, 
SPFSelfValidate is off.

When it comes to successfully validating mails that are supposed to pass 
DMARC, things look mostly fine and consistent. However I just stumbled 
upon a result that I cannot explain.

DMARC record of example.com (the From domain):
----------------------------------------------
"v=DMARC1; p=none; rua=mailto:dmarc at example.com; 
ruf=mailto:dmarc at example.com; fo=0:d:s"


Relevant mail headers:
----------------------
Return-Path: <aohmhdhkoumifukgke.uahokifhfg at subdomain.someothersite.com>
Delivered-To: <me at mysite.com>
Received: from myserver.mysite.com
	by myserver.mysite.com (Dovecot) with LMTP id ESTmCWiGBFgdUAAAFMX49g
	for <me at mysite.com>; Mon, 17 Oct 2016 10:06:00 +0200
Authentication-Results: myserver.mysite.com; spf=pass (sender SPF 
authorized) smtp.mailfrom=subdomain.someothersite.com 
(client-ip=123.123.123.123; helo=sendermailserver.differentsite.com; 
envelope-from=aohmhdhkoumifukgke.uahokifhfg at subdomain.someothersite.com; 
receiver=myotherself at mysite.com)
Authentication-Results: myserver.mysite.com; dmarc=none 
header.from=example.com
Authentication-Results: myserver.mysite.com;
	dkim=pass (2048-bit key; unprotected) header.d=differentsite.com 
header.i=@differentsite.com header.b=d74dTJT2;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
Received: from sendermailserver.differentsite.com 
(sendermailserver.differentsite.com [123.123.123.123])
	by myserver.mysite.com (Postfix) with ESMTPS id 895D94045E
	for <myotherself at mysite.com>; Mon, 17 Oct 2016 10:05:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=k; d=differentsite.com;
  
h=Date:From:To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type;
  bh=4pCHK+R2MG3DvF38W2PVLzbeulJ5wby0VB+pvymocOk=;
  
b=d74dTJT2T3/e8OUN/Mb7fpYjHZjrPUNnzSvv6gle1O9arrFPDyFlINqmP2bd9+l7SZFHzNCSfkFs
    
1MPdUveFT6g4T33yE4+i3s6hTI/IlQrKlhFOis9eYqs4wIdCfGgvRM5qVMQPvRj5TgMPNCq8bEdG
    
gDMVd0crrasji/6WvZZTZv+/Hh0N3vvvXT4tcx1aEUi51KHerAyrZW8EmeIoXKLuVXwx6eOIDBVO
    
sTU2NTJwABlERzPnqQD8sBOQw9aWowwrjRiuCsBG5PQM0icSz5CnMaOWkA4+Swv28G2IoqnSyJj+
    eY6IU8l0yJ2479vp6/Z6VZ6mzrcd/BRQ3bz2AQ==
Date: Mon, 17 Oct 2016 10:05:49 +0200
 From: "Sender Name" <info at example.com>
To: myotherself at mysite.com


In short: DKIM passes for the non-aligned domain "differentsite.com" and 
SPF passes for the non-aligned domain "subdomain.someothersite.com". The 
 From domain has a valid DMARC record and since both DKIM and SPF are 
non-aligned, I would expect "dmarc=fail" as authentication result of 
OpenDMARC, however it is "dmarc=none".

In the aggregate report sent out to example.com everything looks like 
it's supposed to look (policy recognized, non-alignment of both SPF and 
DKIM leads to failed policy evaluation, raw results for SPF and DKIM are 
pass):

<policy_published>
   <domain>example.com</domain>
   <adkim>r</adkim>
   <aspf>r</aspf>
   <p>none</p>
   <sp>none</sp>
   <pct>100</pct>
</policy_published>
<record>
   <row>
    <source_ip>123.123.123.123</source_ip>
    <count>1</count>
    <policy_evaluated>
     <disposition>none</disposition>
     <dkim>fail</dkim>
     <spf>fail</spf>
    </policy_evaluated>
   </row>
   <identifiers>
    <header_from>example.com</header_from>
   </identifiers>
   <auth_results>
    <spf>
     <domain>subdomain.someothersite.com</domain>
     <result>pass</result>
    </spf>
    <dkim>
     <domain>differentsite.com</domain>
     <result>pass</result>
    </dkim>
   </auth_results>
</record>

Any ideas?

Thank you in advance!
Stefan

PS.: example.com is actually a sports venue and this is happening with 
their newsletters and the unsubscribe mail for their newsletter. You can 
sign up for the newsletter here: 
http://www.sportpark-gelsenkirchen.de/infos/newsletter/


More information about the opendmarc-users mailing list