[opendmarc-users] Missing dmarc results header on incoming mail

Dominic Raferd dominic at timedicer.co.uk
Fri Jul 14 08:06:24 PDT 2017 

On 14 July 2017 at 14:25, Simon Wilson <simon at simonandkate.net> wrote:

> ----- Message from Dominic Raferd <dominic at timedicer.co.uk> ---------
>    Date: Fri, 14 Jul 2017 14:08:09 +0100
>    From: Dominic Raferd <dominic at timedicer.co.uk>
> Subject: Re: [opendmarc-users] Missing dmarc results header on incoming
> mail
>      To: opendmarc-users at trusteddomain.org
>
>
> I would be interested to know if in your case opendmarc is using its
>> internal SPF checking or relying on the external SPF header set by
>> policyd-spf.
>>
>> My understanding is that for the latter behaviour you must have
>> policyd-spf
>> set to provide an 'Authentication-Results' header (opendmarc doesn't
>> understand the 'Received-SPF' header), and furthermore - if you are using
>> postfix - you must add an initial 'dummy' header line before the
>> 'check_policy_service unix:private/policy-spf' because this gets stripped
>> out in the information passed to the opendmarc milter and otherwise it
>> therefore loses sight of the SPF header.
>>
>> To test this, set 'SPFSelfValidate = false' in opendmarc.conf and see if
>> it
>> can still authenticate incoming mails.
>>
>>
>>
> I have, since install of opendmarc, had SPFIgnoreResults false and
> SPFSelfValidate false. My 'new to this' understanding of those two settings
> is that SPFIgnoreResults false means that if it sees a result it uses it,
> and SPFSelfValidate false means that if it doesn't see one it won't do its
> own.
>
> With that set of parameters, this is a typical result (extract from
> headers of an email that passed dmarc):
>
> Received: from mail.simonandkate.net ([127.0.0.1])
>         by localhost (mail-amavis.simonandkate.net [127.0.0.1])
> (amavisd-new, port 10024)
>         with LMTP id bqU4BOR2n0RH for <Simon at simonandkate.net>;
>         Fri, 14 Jul 2017 22:58:28 +1000 (AEST)
> Received-SPF: pass (bhpbilliton.com: Sender is authorized to use '
> Simon.Wilson at bhpbilliton.com' in 'mfrom' identity (mechanism 'include:
> spf-00242401.pphosted.com' matched)) receiver=emp07.simonandkate.lan;
> identity=mailfrom; envelope-from="Simon.Wilson at bhpbilliton.com"; helo=
> mx0b-00242401.pphosted.com; client-ip=148.163.153.51
> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.simonandkate.net B37AE309B0D2
> Authentication-Results: mail.simonandkate.net/B37AE309B0D2; dmarc=pass
> (p=none dis=none) header.from=bhpbilliton.com
> DKIM-Filter: OpenDKIM Filter v2.11.0 mail.simonandkate.net B37AE309B0D2
> Authentication-Results: mail.simonandkate.net;
>         dkim=pass (1024-bit key) header.d=bhpbilliton.com header.i=@
> bhpbilliton.com header.b="DIi1ieGT"
>
>
> So it would appear that opendmarc can interpret the Received-SPF header. I
> do not have a dummy header being set. Unless I'm missing something :)
>
> Also, I fixed the issue of amamisd-new over-writing Authentication-Results
> by having it use a different authservid (server name). So I can choose
> which one I want to use now...
>

On reflection, testing is not so easy. The email has a valid DKIM header so
it will pass DMARC testing regardless of the SPF, and (unfortunately)
opendmarc doesn't record the individual results (dkim, spf) for its
testing. An email with valid SPF but without DKIM header (or a 'bad' DKIM
header) would be a true test.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170714/14324b8b/attachment.htm>

More information about the opendmarc-users mailing list