[opendmarc-users] Does my opendmarc 1.3.2 parse domains correctly?

Thu Mar 30 04:08:40 PDT 2017

My mail server processes emails using opendkim, postfix-policyd-spf and
opendmarc (OpenDMARC Filter v1.3.2, SMFI_VERSION 0x1000001, libmilter
version 1.0.1, I think this is actually the final 1.3.2 beta). After the
email has passed our tests it is forwarded on to gmail.

I am puzzled looking at the Authentication-Results headers generated by
mx.google.com compared with our own (timedicer.co.uk) in a recent incoming
email (text slightly obfuscated):

Return-Path: <conso at skimium.emv5.com>
...
Authentication-Results: mx.google.com;
       dkim=pass header.i=@emv5.com;
       spf=fail (google.com: domain of conso at skimium.emv5.com does not
designate 163.131.228.222 as permitted sender) smtp.mailfrom=
conso at skimium.emv5.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emv5.com
Authentication-Results: timedicer.co.uk/3DEFB428BB; dmarc=pass (p=none
dis=none) header.from=skimium.emv5.com
...
From: "Skimium.com" <conso at skimium.emv5.com>

I am not surprised by mx.google.com showing spf=fail, this always happens
because we are forwarding email (I have a workaround for the rare instances
when this causes a dmarc fail). But I am puzzled that - for dmarc -
mx.google.com has header.from=emv5.com whereas my server (timedicer.co.uk)
has header.from=skimium.emv5.com. In this case it made no difference (sp
policy matches p policy, both are NONE), but does this mean my server is
not parsing the domain name correctly?

I'm not sure how I can test this. In my opendmarc.conf I have:

PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat

which references this file:

-rw-r--r-- 1 root root 180969 Jan 30  2016
/usr/share/publicsuffix/public_suffix_list.dat

Any suggestions gratefully received.

Dominic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170330/67935e05/attachment.htm>