[opendmarc-users] dmarc fail on internal emails

Ian Evans dheianevans at gmail.com
Fri Apr 21 14:06:06 PDT 2017 

On Fri, Apr 21, 2017 at 3:53 PM, Ian Evans <dheianevans at gmail.com> wrote:

> On Fri, Apr 21, 2017 at 1:49 AM, Juri Haberland <juri at sapienti-sat.org>
> wrote:
>
>> Ian Evans wrote:
>> > On Thu, Apr 20, 2017 at 5:23 PM, Juri Haberland <juri at sapienti-sat.org>
>> > wrote:
>>
>> >> >> > IMHO it doesn't make any sense to check internal mail for
>> >> SPF/DKIM/DMARC.
>> >> >> > But if you insist, please send your opendmarc.conf for a review.
>> >>
>> >> > AuthservID carson.digitalhit.com
>> >> > TrustedAuthservIDs carson.digitalhit.com
>> >>
>> >> Ok, good. Does Amavis use the same AuthservID?
>> >
>> > Actually, no. As per this thread (
>> > https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-a
>> nd-protect-your-name-with-dmarc/#comment-11570),
>> > discussing Amavis eating some headers, the amavis AuthservID is
>> > amavis.local. They said:
>> >
>> > "Amavis deletes the Authentication-Results headers if $myauthservid is
>> the
>> > same as AuthservID in opendmarc.conf. They both default to the local
>> > hostname by default. To use both together set
>> >
>> > $myauthservid = ?amavis.local?;
>>
>> If you use Amavis to do the DKIM check, it doesn't matter if it deletes
>> the AR
>> header, as there shouldn't be one. The order of filters/milters must be:
>> Amavis -> OpenDMARC, as OpenDMARC needs to check the AR header inserted by
>> Amavis. In order to do that, the AuthservID used by Amavis needs to be in
>> TrustedAuthservIDs. So either set $myauthservid to carson.digitalhit.com
>> in
>> 50-user, or add amavis.local to TrustedAuthservIDs in opendmarc.conf.
>>
>>
> Sorry for the delay in responding. At my current location I only have wifi
> when the missus visits her relative in the hospital. Don't think Amavis is
> handling DKIM through it's own mechanisms, that is, I didn't alter any conf
> files. OpenDKIM is installed directly as per:
>
> https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-
> and-protect-your-name-with-dmarc/#dkim
>
>
>> Btw:
>> What software does the SPF check?
>>
>> postfix-policyd-spf-python
>
> Again, the various test autoresponders and gmail show passes for both dkim
> and spf. when I send to them and received emails sent to my domain show
> passes as well.
>
> Will change TrustedAuthservIDsas per your suggestion.
>
>>
>>
>

Here's the current state of affairs after making the recommended changes:

Incoming email:

FROM Gmail TO my site: Headers show dkim, spf and dmarc pass
FROM mysite to mysite: Headers show dkim pass. Dmarc fail, no spf headers
present.

Safe to assume the internal mail is failing because a dmarc pass requires
dkim and SPF passes and spf isn't present?

Outgoing email:
FROM my site to Gmail: Headers show DKIM pass, SPF pass, DMARC pass

Sending email to test at http://www.appmaildev.com/en/dkim shows spf pass,
dkim pass and dmarc fail. If passed on gmail, faulty implementation on this
site?

autoreply at dmarctest.org: dkim pass, spf pass, dmarc pass
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170421/9e4a748d/attachment.htm>

More information about the opendmarc-users mailing list