[opendmarc-users] Missing dmarc results header on incoming mail

Simon Wilson simon at simonandkate.net
Fri Jul 14 06:25:36 PDT 2017 

----- Message from Dominic Raferd <dominic at timedicer.co.uk> ---------
    Date: Fri, 14 Jul 2017 14:08:09 +0100
    From: Dominic Raferd <dominic at timedicer.co.uk>
Subject: Re: [opendmarc-users] Missing dmarc results header on incoming mail
      To: opendmarc-users at trusteddomain.org


> I would be interested to know if in your case opendmarc is using its
> internal SPF checking or relying on the external SPF header set by
> policyd-spf.
>
> My understanding is that for the latter behaviour you must have policyd-spf
> set to provide an 'Authentication-Results' header (opendmarc doesn't
> understand the 'Received-SPF' header), and furthermore - if you are using
> postfix - you must add an initial 'dummy' header line before the
> 'check_policy_service unix:private/policy-spf' because this gets stripped
> out in the information passed to the opendmarc milter and otherwise it
> therefore loses sight of the SPF header.
>
> To test this, set 'SPFSelfValidate = false' in opendmarc.conf and see if it
> can still authenticate incoming mails.
>
>

I have, since install of opendmarc, had SPFIgnoreResults false and  
SPFSelfValidate false. My 'new to this' understanding of those two  
settings is that SPFIgnoreResults false means that if it sees a result  
it uses it, and SPFSelfValidate false means that if it doesn't see one  
it won't do its own.

With that set of parameters, this is a typical result (extract from  
headers of an email that passed dmarc):

Received: from mail.simonandkate.net ([127.0.0.1])
	by localhost (mail-amavis.simonandkate.net [127.0.0.1]) (amavisd-new,  
port 10024)
	with LMTP id bqU4BOR2n0RH for <Simon at simonandkate.net>;
	Fri, 14 Jul 2017 22:58:28 +1000 (AEST)
Received-SPF: pass (bhpbilliton.com: Sender is authorized to use  
'Simon.Wilson at bhpbilliton.com' in 'mfrom' identity (mechanism  
'include:spf-00242401.pphosted.com' matched))  
receiver=emp07.simonandkate.lan; identity=mailfrom;  
envelope-from="Simon.Wilson at bhpbilliton.com";  
helo=mx0b-00242401.pphosted.com; client-ip=148.163.153.51
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.simonandkate.net B37AE309B0D2
Authentication-Results: mail.simonandkate.net/B37AE309B0D2; dmarc=pass  
(p=none dis=none) header.from=bhpbilliton.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.simonandkate.net B37AE309B0D2
Authentication-Results: mail.simonandkate.net;
	dkim=pass (1024-bit key) header.d=bhpbilliton.com  
header.i=@bhpbilliton.com header.b="DIi1ieGT"


So it would appear that opendmarc can interpret the Received-SPF  
header. I do not have a dummy header being set. Unless I'm missing  
something :)

Also, I fixed the issue of amamisd-new over-writing  
Authentication-Results by having it use a different authservid (server  
name). So I can choose which one I want to use now...

Simon.


> On 14 July 2017 at 13:47, Simon Wilson <simon at simonandkate.net> wrote:
>
>> ----- Message from Simon Wilson <simon at simonandkate.net> ---------
>>     Date: Fri, 14 Jul 2017 22:35:47 +1000
>>     From: Simon Wilson <simon at simonandkate.net>
>> Reply-To: simon at simonandkate.net
>> Subject: [opendmarc-users] Missing dmarc results header on incoming mail
>>       To: opendmarc-users at trusteddomain.org
>>
>>
>> Hi all, I've just implemented opendmarc for inbound dmarc checking on my
>>> postfix mail server. I have been checking SPF and DKIM inbound for years.
>>>
>>> In a nutshell things appear to all be running, but I'm not sure on
>>> sequence, and I'm not seeing a dmarc Authentication-Results header from
>>> opendmarc.
>>>
>>> I have postfix using postfix-policyd-spf. That triggers first, and adds a
>>> Received-SPF header with its result.
>>>
>>> Then the logs show opendmarc triggering (it's called as an smtpd_milter
>>> from postfix's main.cf) I have opendmarc set to trust existing SPF
>>> results in the headers. The logs show success, e.g.:
>>>
>>> Jul 14 22:28:40 emp07 opendmarc[17024]: 6FEF0309B0D1: bhpbilliton.com
>>> pass
>>>
>>> Then the logs show postfix sending to amavisd-new (it's set up on port
>>> 10024, processes, then sends back to postfix), which does DKIM validation,
>>> and adds an Authentication-Results header, e.g. Authentication-Results:
>>> mail.simonandkate.net (amavisd-new); dkim=pass
>>>
>>> Amavisd-new runs spamassassin, and it is applying rules as I'd expect for
>>> SPF and DKIM.
>>>
>>> End result in the email headers I see the Received-SPF header, a
>>> DMARC-Filter header with the version and server name (but no results), and
>>> a single DKIM Authentication-Results header.
>>>
>>> I've tried doing DKIM validation in opendkim instead of amavisd-new, but
>>> the result is the same (except for the DKIM result header coming from
>>> opendkim instead of amavisd-new).
>>>
>>> - Is this all behaving as expected?
>>> - Why am I not seeing a dmarc results header?
>>> - And am I sequencing things correctly?
>>>
>>> Thanks
>>> Simon.
>>>
>>> --
>>> Simon Wilson
>>> M: 0400 12 11 16
>>>
>>> _______________________________________________
>>> opendmarc-users mailing list
>>> opendmarc-users at trusteddomain.orghttp://www.trusteddomain.or
>>> g/mailman/listinfo/opendmarc-users
>>>
>>
>> ----- End message from Simon Wilson <simon at simonandkate.net> -----
>>
>> I think I have just answered my own question, barely minutes after
>> spending all that time writing that last email :(
>>
>> Even when I had opendkim running and doing dkim validation, amavisd-new
>> was still running and doing its dkim validation, I'd not correctly disabled
>> it.
>>
>> With amavisd-new dkim validation disabled, and opendkim enabled, opendmarc
>> Authentication-Results headers are there.
>>
>> Conclusion:
>>
>> It looks like Amavisd-new, which was running last, was deleting the
>> previously written Authentication-Results headers, from both opendkim and
>> opendmarc, and replacing with its own.
>>
>> Apologies for the noise - this may help someone else one day though. All I
>> need to do now is transfer the DKIM signing from amavisd-new to opendkim,
>> and leave amavisd-new out of DKIM entirely.
>>
>>
>> Simon.
>>
>>
>> --
>> Simon Wilson
>> M: 0400 12 11 16
>>
>>
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.org
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>>


----- End message from Dominic Raferd <dominic at timedicer.co.uk> -----



-- 
Simon Wilson
M: 0400 12 11 16

More information about the opendmarc-users mailing list