[opendmarc-users] DMARC fail and reject for one sender

Juri Haberland juri at sapienti-sat.org
Thu May 18 12:23:25 PDT 2017 

On 18.05.2017 15:38, David Jones wrote:
> My mail filters are running opendmarc 1.3.2 and I started rejecting failed DMARC checks a couple of months ago for domains with "p=reject" (honoring their own policy).  I have one particular sender that is using dmarcian.com services that is failing.  Sender agents.icims.com is being rejected so I had to add it to the opendmarc.conf IgnoreMailFrom.
> 
> When I contacted the sender, they say they have had DMARC in place for many years and have not made any changes lately so it's a problem on my end, of course.
> 
> DMARC record:
> # dig _dmarc.agents.icims.com txt +short
> "v=DMARC1\; p=reject\; rua=mailto:dmarc_agg at vali.email,mailto:nfivm2st at ag.dmarcian.com\; ruf=mailto:dmarc_d2a54d9a_afrf at vali.email,mailto:nfivm2st at fr.dmarcian.com"
> 
> SPF record:
> # dig agents.icims.com txt +short
> "v=spf1 include:agents.icims.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
> 
> I had never seen an SPF record like this before so that must be something fancy that dmarcian.com setup.  It appears to dynamically substitute values to provide specific SPF results per IP, HELO, and domain.  My mail filters are saying that the SPF checks are passing which is confirmed by this DNS query:

This has nothing to do with the dmarcian.com service - I use it as well and
besides the rua/ruf tags, you do not need to alter your DMARC/SPF setup.
These are SPF macros defined in RFC7208, section 7.2:

>> 7.2.  Macro Definitions
>> 
>>    The following macro letters are expanded in term arguments:
>> 
>>       s = <sender>
>>       l = local-part of <sender>
>>       o = domain of <sender>
>>       d = <domain>
>>       i = <ip>
>>       p = the validated domain name of <ip> (do not use)
>>       v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
>>       h = HELO/EHLO domain
>> 
>>    The following macro letters are allowed only in "exp" text:
>> 
>>       c = SMTP client IP (easily readable format)
>>       r = domain name of host performing the check
>>       t = current timestamp

So "%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email" boils down to something like
this:
162.247.160.153._ip.icims-talentplatform-160153.email.icims.tools._ehlo.agents.icims.com._spf.vali.email

and:

$ host -t txt
162.247.160.153._ip.icims-talentplatform-160153.email.icims.tools._ehlo.agents.icims.com._spf.vali.email
162.247.160.153._ip.icims-talentplatform-160153.email.icims.tools._ehlo.agents.icims.com._spf.vali.email
descriptive text "v=spf1 ip4:162.247.160.0/21 -all"


> Here's what my Postfix logs show when I don't have agents.icims.com in the opendmarc.conf IgnoreMailFrom:
> 
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom): redacted+bounce+1lri-ec0a7e8591 at agents.icims.com fail
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: agents.icims.com fail

Please check whether your opendmarc uses libspf2, as the internal SPF code
is broken and will most likely be removed in the next release:

The command "strings /usr/lib/libopendmarc.so.2|grep spf2" should show
something like:
opendmarc_spf2_alloc_ctx
opendmarc_spf2_free_ctx
opendmarc_spf2_find_mailfrom_domain
opendmarc_spf2_specify_ip_address
opendmarc_spf2_test
libspf2.so.2


I had cases where "ldd /usr/lib/libopendmarc.so.2" was not sufficiant!


Cheers,
  Juri

More information about the opendmarc-users mailing list