[opendmarc-users] Missing dmarc results header on incoming mail

Dominic Raferd dominic at timedicer.co.uk
Fri Jul 14 06:08:09 PDT 2017 

I would be interested to know if in your case opendmarc is using its
internal SPF checking or relying on the external SPF header set by
policyd-spf.

My understanding is that for the latter behaviour you must have policyd-spf
set to provide an 'Authentication-Results' header (opendmarc doesn't
understand the 'Received-SPF' header), and furthermore - if you are using
postfix - you must add an initial 'dummy' header line before the
'check_policy_service unix:private/policy-spf' because this gets stripped
out in the information passed to the opendmarc milter and otherwise it
therefore loses sight of the SPF header.

To test this, set 'SPFSelfValidate = false' in opendmarc.conf and see if it
can still authenticate incoming mails.


On 14 July 2017 at 13:47, Simon Wilson <simon at simonandkate.net> wrote:

> ----- Message from Simon Wilson <simon at simonandkate.net> ---------
>     Date: Fri, 14 Jul 2017 22:35:47 +1000
>     From: Simon Wilson <simon at simonandkate.net>
> Reply-To: simon at simonandkate.net
> Subject: [opendmarc-users] Missing dmarc results header on incoming mail
>       To: opendmarc-users at trusteddomain.org
>
>
> Hi all, I've just implemented opendmarc for inbound dmarc checking on my
>> postfix mail server. I have been checking SPF and DKIM inbound for years.
>>
>> In a nutshell things appear to all be running, but I'm not sure on
>> sequence, and I'm not seeing a dmarc Authentication-Results header from
>> opendmarc.
>>
>> I have postfix using postfix-policyd-spf. That triggers first, and adds a
>> Received-SPF header with its result.
>>
>> Then the logs show opendmarc triggering (it's called as an smtpd_milter
>> from postfix's main.cf) I have opendmarc set to trust existing SPF
>> results in the headers. The logs show success, e.g.:
>>
>> Jul 14 22:28:40 emp07 opendmarc[17024]: 6FEF0309B0D1: bhpbilliton.com
>> pass
>>
>> Then the logs show postfix sending to amavisd-new (it's set up on port
>> 10024, processes, then sends back to postfix), which does DKIM validation,
>> and adds an Authentication-Results header, e.g. Authentication-Results:
>> mail.simonandkate.net (amavisd-new); dkim=pass
>>
>> Amavisd-new runs spamassassin, and it is applying rules as I'd expect for
>> SPF and DKIM.
>>
>> End result in the email headers I see the Received-SPF header, a
>> DMARC-Filter header with the version and server name (but no results), and
>> a single DKIM Authentication-Results header.
>>
>> I've tried doing DKIM validation in opendkim instead of amavisd-new, but
>> the result is the same (except for the DKIM result header coming from
>> opendkim instead of amavisd-new).
>>
>> - Is this all behaving as expected?
>> - Why am I not seeing a dmarc results header?
>> - And am I sequencing things correctly?
>>
>> Thanks
>> Simon.
>>
>> --
>> Simon Wilson
>> M: 0400 12 11 16
>>
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.orghttp://www.trusteddomain.or
>> g/mailman/listinfo/opendmarc-users
>>
>
> ----- End message from Simon Wilson <simon at simonandkate.net> -----
>
> I think I have just answered my own question, barely minutes after
> spending all that time writing that last email :(
>
> Even when I had opendkim running and doing dkim validation, amavisd-new
> was still running and doing its dkim validation, I'd not correctly disabled
> it.
>
> With amavisd-new dkim validation disabled, and opendkim enabled, opendmarc
> Authentication-Results headers are there.
>
> Conclusion:
>
> It looks like Amavisd-new, which was running last, was deleting the
> previously written Authentication-Results headers, from both opendkim and
> opendmarc, and replacing with its own.
>
> Apologies for the noise - this may help someone else one day though. All I
> need to do now is transfer the DKIM signing from amavisd-new to opendkim,
> and leave amavisd-new out of DKIM entirely.
>
>
> Simon.
>
>
> --
> Simon Wilson
> M: 0400 12 11 16
>
>
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170714/01e20e5a/attachment.htm>

More information about the opendmarc-users mailing list