[opendmarc-users] dmarc fail on internal emails

Ian Evans dheianevans at gmail.com
Thu Apr 20 14:51:50 PDT 2017


On Thu, Apr 20, 2017 at 5:23 PM, Juri Haberland <juri at sapienti-sat.org>
wrote:

> [ please keep the conversation on the list ]
>

Sorry, noticed that after I sent it. Usually don't have that issue with
responding to lists.

>
> On 20.04.2017 22:21, Ian Evans wrote:
> > On Thu, Apr 20, 2017 at 3:54 PM, Juri Haberland <juri at sapienti-sat.org>
> > wrote:
>
> >> Try to send some mail from Google to your domain and look at the
> result...
> >>
> > As mentioned in my original email, I've done that and it passes. Passes
> > other dmarc checkers as well. It's just the internal email.
>
> Sorry, but no, you wrote:
> > If I send a message from user1 at example.com to a gmail address and check
> the
> > headers, I get a pass on the dmarc check.
>
> That just means that your SPF and DKIM signing setup is correct - but do
> you validate external mail correctly?
>

Yes, sorry, read that incorrectly. Working in a hospital lobby while the
missus visits a relative, so not the optimal reading conditions. So yes, if
I send an email from gmail to my site, the headers indicate a dmarc pass.
Just upgraded to 1.3.1. as per that PPA, restarted and tried again.
External email is passing. Internal email is failing.

Did try a couple of testers again just now. unlocktheinbox gave me a dmarc
fail,  verifier.port25.com gave me a dmarc fail, whereas gmail gave me an
SPF, DKIM and Dmarc pass.

>
> >> > IMHO it doesn't make any sense to check internal mail for
> SPF/DKIM/DMARC.
> >> > But if you insist, please send your opendmarc.conf for a review.
>
> > AuthservID carson.digitalhit.com
> > TrustedAuthservIDs carson.digitalhit.com
>
> Ok, good. Does Amavis use the same AuthservID?
>

Actually, no. As per this thread (
https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/#comment-11570),
discussing Amavis eating some headers, the amavis AuthservID is
amavis.local. They said:

"Amavis deletes the Authentication-Results headers if $myauthservid is the
same as AuthservID in opendmarc.conf. They both default to the local
hostname by default. To use both together set

$myauthservid = “amavis.local”;

in /etc/amavis/conf.d/50-user, see
http://lists.amavis.org/pipermail/amavis-users/2012-May/001527.html"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170420/e9ea6af9/attachment.htm>


More information about the opendmarc-users mailing list