[opendmarc-users] dmarc fail on internal emails

Ian Evans dheianevans at gmail.com
Fri Apr 21 12:53:31 PDT 2017


On Fri, Apr 21, 2017 at 1:49 AM, Juri Haberland <juri at sapienti-sat.org>
wrote:

> Ian Evans wrote:
> > On Thu, Apr 20, 2017 at 5:23 PM, Juri Haberland <juri at sapienti-sat.org>
> > wrote:
>
> >> >> > IMHO it doesn't make any sense to check internal mail for
> >> SPF/DKIM/DMARC.
> >> >> > But if you insist, please send your opendmarc.conf for a review.
> >>
> >> > AuthservID carson.digitalhit.com
> >> > TrustedAuthservIDs carson.digitalhit.com
> >>
> >> Ok, good. Does Amavis use the same AuthservID?
> >
> > Actually, no. As per this thread (
> > https://www.skelleton.net/2015/03/21/how-to-eliminate-
> spam-and-protect-your-name-with-dmarc/#comment-11570),
> > discussing Amavis eating some headers, the amavis AuthservID is
> > amavis.local. They said:
> >
> > "Amavis deletes the Authentication-Results headers if $myauthservid is
> the
> > same as AuthservID in opendmarc.conf. They both default to the local
> > hostname by default. To use both together set
> >
> > $myauthservid = ?amavis.local?;
>
> If you use Amavis to do the DKIM check, it doesn't matter if it deletes
> the AR
> header, as there shouldn't be one. The order of filters/milters must be:
> Amavis -> OpenDMARC, as OpenDMARC needs to check the AR header inserted by
> Amavis. In order to do that, the AuthservID used by Amavis needs to be in
> TrustedAuthservIDs. So either set $myauthservid to carson.digitalhit.com
> in
> 50-user, or add amavis.local to TrustedAuthservIDs in opendmarc.conf.
>
>
Sorry for the delay in responding. At my current location I only have wifi
when the missus visits her relative in the hospital. Don't think Amavis is
handling DKIM through it's own mechanisms, that is, I didn't alter any conf
files. OpenDKIM is installed directly as per:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/#dkim


> Btw:
> What software does the SPF check?
>
> postfix-policyd-spf-python

Again, the various test autoresponders and gmail show passes for both dkim
and spf. when I send to them and received emails sent to my domain show
passes as well.

Will change TrustedAuthservIDsas per your suggestion.

>
>   Juri
>
>
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170421/7578af92/attachment.htm>


More information about the opendmarc-users mailing list