[opendmarc-users] Unexplainable dmarc=none instead of dmarc=fails as authentication result

Tomki Camp tcamp at agari.com
Mon Oct 17 17:33:20 PDT 2016 

Hello Stefan,
it looks like by "dmarc=none" and "dmarc=fail", you're referring to the
disposition field in XML, is this correct?  The disposition may be any of
none/reject/quarantine. Since the domain you're referring to has a policy
p=none, the disposition (what the MTA did with the message because of DMARC
results) should never be anything other than 'none', unless there are
override reasons specified.
A DMARC-fail result for the message represented by the XML record object
you listed is implicit due to neither of the policy_evaluated dkim/spf
being 'pass'.

I hope this helps.

Regards,
--Tomki



On Mon, Oct 17, 2016 at 4:56 PM, Stefan Tittel <stefan at tittel.net> wrote:

> Hello,
>
> I deployed OpenDMARC on Debian Jessie using the 1.3.1 package from
> jessie-backports. My MTA is Postfix, DKIM headers are written by OpenDKIM
> and SPF headers are written by python-policyd-spf, SPFSelfValidate is off.
>
> When it comes to successfully validating mails that are supposed to pass
> DMARC, things look mostly fine and consistent. However I just stumbled upon
> a result that I cannot explain.
>
> DMARC record of example.com (the From domain):
> ----------------------------------------------
> "v=DMARC1; p=none; rua=mailto:dmarc at example.com; ruf=mailto:
> dmarc at example.com; fo=0:d:s"
>
>
> Relevant mail headers:
> ----------------------
> Return-Path: <aohmhdhkoumifukgke.uahokifhfg at subdomain.someothersite.com>
> Delivered-To: <me at mysite.com>
> Received: from myserver.mysite.com
>         by myserver.mysite.com (Dovecot) with LMTP id
> ESTmCWiGBFgdUAAAFMX49g
>         for <me at mysite.com>; Mon, 17 Oct 2016 10:06:00 +0200
> Authentication-Results: myserver.mysite.com; spf=pass (sender SPF
> authorized) smtp.mailfrom=subdomain.someothersite.com
> (client-ip=123.123.123.123; helo=sendermailserver.differentsite.com;
> envelope-from=aohmhdhkoumifukgke.uahokifhfg at subdomain.someothersite.com;
> receiver=myotherself at mysite.com)
> Authentication-Results: myserver.mysite.com; dmarc=none header.from=
> example.com
> Authentication-Results: myserver.mysite.com;
>         dkim=pass (2048-bit key; unprotected) header.d=differentsite.com
> header.i=@differentsite.com header.b=d74dTJT2;
>         dkim-adsp=none (unprotected policy); dkim-atps=neutral
> Received: from sendermailserver.differentsite.com (
> sendermailserver.differentsite.com [123.123.123.123])
>         by myserver.mysite.com (Postfix) with ESMTPS id 895D94045E
>         for <myotherself at mysite.com>; Mon, 17 Oct 2016 10:05:56 +0200
> (CEST)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=k; d=differentsite.com;
>  h=Date:From:To:Subject:Message-ID:List-Unsubscribe:MIME-
> Version:Content-Type;
>  bh=4pCHK+R2MG3DvF38W2PVLzbeulJ5wby0VB+pvymocOk=;
>  b=d74dTJT2T3/e8OUN/Mb7fpYjHZjrPUNnzSvv6gle1O9arrFPDyFlINqmP
> 2bd9+l7SZFHzNCSfkFs
>    1MPdUveFT6g4T33yE4+i3s6hTI/IlQrKlhFOis9eYqs4wIdCfGgvRM5qVMQ
> PvRj5TgMPNCq8bEdG
>    gDMVd0crrasji/6WvZZTZv+/Hh0N3vvvXT4tcx1aEUi51KHerAyrZW8EmeI
> oXKLuVXwx6eOIDBVO
>    sTU2NTJwABlERzPnqQD8sBOQw9aWowwrjRiuCsBG5PQM0icSz5CnMaOWkA4+
> Swv28G2IoqnSyJj+
>    eY6IU8l0yJ2479vp6/Z6VZ6mzrcd/BRQ3bz2AQ==
> Date: Mon, 17 Oct 2016 10:05:49 +0200
> From: "Sender Name" <info at example.com>
> To: myotherself at mysite.com
>
>
> In short: DKIM passes for the non-aligned domain "differentsite.com" and
> SPF passes for the non-aligned domain "subdomain.someothersite.com". The
> From domain has a valid DMARC record and since both DKIM and SPF are
> non-aligned, I would expect "dmarc=fail" as authentication result of
> OpenDMARC, however it is "dmarc=none".
>
> In the aggregate report sent out to example.com everything looks like
> it's supposed to look (policy recognized, non-alignment of both SPF and
> DKIM leads to failed policy evaluation, raw results for SPF and DKIM are
> pass):
>
> <policy_published>
>   <domain>example.com</domain>
>   <adkim>r</adkim>
>   <aspf>r</aspf>
>   <p>none</p>
>   <sp>none</sp>
>   <pct>100</pct>
> </policy_published>
> <record>
>   <row>
>    <source_ip>123.123.123.123</source_ip>
>    <count>1</count>
>    <policy_evaluated>
>     <disposition>none</disposition>
>     <dkim>fail</dkim>
>     <spf>fail</spf>
>    </policy_evaluated>
>   </row>
>   <identifiers>
>    <header_from>example.com</header_from>
>   </identifiers>
>   <auth_results>
>    <spf>
>     <domain>subdomain.someothersite.com</domain>
>     <result>pass</result>
>    </spf>
>    <dkim>
>     <domain>differentsite.com</domain>
>     <result>pass</result>
>    </dkim>
>   </auth_results>
> </record>
>
> Any ideas?
>
> Thank you in advance!
> Stefan
>
> PS.: example.com is actually a sports venue and this is happening with
> their newsletters and the unsubscribe mail for their newsletter. You can
> sign up for the newsletter here: http://www.sportpark-gelsenkir
> chen.de/infos/newsletter/
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20161017/1c4247fb/attachment.htm>

More information about the opendmarc-users mailing list