[opendmarc-users] Missing dmarc results header on incoming mail

Simon Wilson simon at simonandkate.net
Fri Jul 14 05:47:19 PDT 2017 

----- Message from Simon Wilson <simon at simonandkate.net> ---------
    Date: Fri, 14 Jul 2017 22:35:47 +1000
    From: Simon Wilson <simon at simonandkate.net>
Reply-To: simon at simonandkate.net
Subject: [opendmarc-users] Missing dmarc results header on incoming mail
      To: opendmarc-users at trusteddomain.org

> Hi all, I've just implemented opendmarc for inbound dmarc checking  
> on my postfix mail server. I have been checking SPF and DKIM inbound  
> for years.
>
> In a nutshell things appear to all be running, but I'm not sure on  
> sequence, and I'm not seeing a dmarc Authentication-Results header  
> from opendmarc.
>
> I have postfix using postfix-policyd-spf. That triggers first, and  
> adds a Received-SPF header with its result.
>
> Then the logs show opendmarc triggering (it's called as an  
> smtpd_milter from postfix's main.cf) I have opendmarc set to trust  
> existing SPF results in the headers. The logs show success, e.g.:
>
> Jul 14 22:28:40 emp07 opendmarc[17024]: 6FEF0309B0D1: bhpbilliton.com pass
>
> Then the logs show postfix sending to amavisd-new (it's set up on  
> port 10024, processes, then sends back to postfix), which does DKIM  
> validation, and adds an Authentication-Results header, e.g.  
> Authentication-Results: mail.simonandkate.net (amavisd-new); dkim=pass
>
> Amavisd-new runs spamassassin, and it is applying rules as I'd  
> expect for SPF and DKIM.
>
> End result in the email headers I see the Received-SPF header, a  
> DMARC-Filter header with the version and server name (but no  
> results), and a single DKIM Authentication-Results header.
>
> I've tried doing DKIM validation in opendkim instead of amavisd-new,  
> but the result is the same (except for the DKIM result header coming  
> from opendkim instead of amavisd-new).
>
> - Is this all behaving as expected?
> - Why am I not seeing a dmarc results header?
> - And am I sequencing things correctly?
>
> Thanks
> Simon.
>
> --
> Simon Wilson
> M: 0400 12 11 16
>
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.orghttp://www.trusteddomain.org/mailman/listinfo/opendmarc-users

----- End message from Simon Wilson <simon at simonandkate.net> -----

I think I have just answered my own question, barely minutes after  
spending all that time writing that last email :(

Even when I had opendkim running and doing dkim validation,  
amavisd-new was still running and doing its dkim validation, I'd not  
correctly disabled it.

With amavisd-new dkim validation disabled, and opendkim enabled,  
opendmarc Authentication-Results headers are there.

Conclusion:

It looks like Amavisd-new, which was running last, was deleting the  
previously written Authentication-Results headers, from both opendkim  
and opendmarc, and replacing with its own.

Apologies for the noise - this may help someone else one day though.  
All I need to do now is transfer the DKIM signing from amavisd-new to  
opendkim, and leave amavisd-new out of DKIM entirely.

Simon.


-- 
Simon Wilson
M: 0400 12 11 16

More information about the opendmarc-users mailing list