[opendmarc-users] DMARC fail and reject for one sender

Simon sim at 4lists.simonliebold.de
Thu May 18 12:27:11 PDT 2017 

Hi Dave,

> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom): redacted+bounce+1lri-ec0a7e8591 at agents.icims.com fail
Not sure if I can help. Just guessing: Does "opendmarc -V" return these
lines?

    Active code options:
        WITH_SPF
        WITH_SPF2

> c=simple/simple;
DKIM wasn't valid, I guess?

Does this happen with every single of their messages or just from time
to time?
> it's a problem on my end, of course.
Of course.

Simon

p.s.:
> Authentication-Results: mail.simonliebold.de; dmarc=fail (p=reject dis=none) header.from=ena.com
Ironically, this list cannot deal with "reject" domains. I use a
dedicated sub-domain for these kind of lists plus the "Override MLM" patch.

Am 18.05.2017 um 15:38 schrieb David Jones:
> My mail filters are running opendmarc 1.3.2 and I started rejecting failed DMARC checks a couple of months ago for domains with "p=reject" (honoring their own policy).  I have one particular sender that is using dmarcian.com services that is failing.  Sender agents.icims.com is being rejected so I had to add it to the opendmarc.conf IgnoreMailFrom.
>
> When I contacted the sender, they say they have had DMARC in place for many years and have not made any changes lately so it's a problem on my end, of course.
>
> DMARC record:
> # dig _dmarc.agents.icims.com txt +short
> "v=DMARC1\; p=reject\; rua=mailto:dmarc_agg at vali.email,mailto:nfivm2st at ag.dmarcian.com\; ruf=mailto:dmarc_d2a54d9a_afrf at vali.email,mailto:nfivm2st at fr.dmarcian.com"
>
> SPF record:
> # dig agents.icims.com txt +short
> "v=spf1 include:agents.icims.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
>
> I had never seen an SPF record like this before so that must be something fancy that dmarcian.com setup.  It appears to dynamically substitute values to provide specific SPF results per IP, HELO, and domain.  My mail filters are saying that the SPF checks are passing which is confirmed by this DNS query:
>
> # dig 162.247.160.153._ip.icims-talentplatform-160153.email.icims.tools._ehlo.agents.icims.com._spf.vali.email txt +short
> "v=spf1 ip4:162.247.160.0/21 -all"
>
> The SPF check above should be passing based on the headers below.
>
> Received: from (icims-talentplatform-160153.email.icims.tools [162.247.160.153])
>      (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
>      (No client certificate requested)
>      by smtp4n.ena.net (Postfix) with ESMTPS id 42DA31495A15
>      for <redacted at example.com>; Thu, 18 May 2017 08:04:07 -0500 (CDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
> d=agents.icims.com; i=@agents.icims.com; q=dns/txt;
> s=platform; t=1495112647; x=1526648647;
> h=date:from:reply-to:to:message-id:subject:mime-version:
> list-unsubscribe;
> bh=mK9tYZSXgYsfaJFFq6+J8sLbSg0NLnZmqZD2WIfhNJ8=;
> b=dhNLMSvRj3sRN5EfgJFkOoO8XslY3FtEIWdBG+bg1Cz6eGPbT/SgCMyW
> UTBZceunCXpgpr1B3NmMxUrfRlYOGNQ6h/YfiSjWLUAy9JkoEw82/iEmi
> EyzgJlfXQYcnzsx2153GhW6h35HJPsapuycDDRQgHc3U70nqkP3M85Rad
> 7UR8kw9qk8fssJxuRakLfkp50SILM5f1OZ08Eq72lHJMQ0VoOlijzSXTT
> +2xbcbhj7aTobqgjiQ3c1xntdAz51QKsXUWyxodWhns+k7an6cu7UP3JC
> +TuDM7We8+fV3S7+L8ysI6FUriJfTHN5bN6pI5EnQaBd4BazRxpKqGksv
> g==;
> X-IronPort-AV: E=Sophos;i="5.38,359,1491278400";
> d="scan'208";a="124188043"
> Received: from unknown (HELO ip-10-47-5-152.ec2.internal) ([10.30.10.250])
> by icims-talentplatform-160160.email.icims.tools with ESMTP; 18 May 2017 09:04:06 -0400
> Date: Thu, 18 May 2017 09:04:06 -0400 (EDT)
> From: "Redacted @ icims" <redacted+autoreply at agents.icims.com>
> Reply-To: <redacted+autoreply at agents.icims.com>
> To: redacted at example.com
> Message-ID: <1231579031.27096.1495112646680 at ip-10-47-5-152.ec2.internal>
> Subject: Application Status from Redacted
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
>      boundary="----=_Part_27094_1697637749.1495112646679"
> List-Unsubscribe: <mailto:redacted+autoreply+3FF632589 at agents.icims.com?subject=unsubscribe&contactId=129434>, <https://redacted.icims.com/icims2/?r=3FF632589&contactId=129434&pid=108&process=1>
> X-iRecruiter-Type: TX
> X-iCIMS-Type: TX
> X-iCIMS-Priority: Auto
> X-iRecruiter-Source: redacted
>
> Here's what my Postfix logs show when I don't have agents.icims.com in the opendmarc.conf IgnoreMailFrom:
>
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom): redacted+bounce+1lri-ec0a7e8591 at agents.icims.com fail
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: agents.icims.com fail
> May 15 12:25:41 server1 postfix/cleanup[20227]: 848BB14806A9: milter-reject: END-OF-MESSAGE from icims-talentplatform-160152.email.icims.tools[162.247.160.152]: 5.7.1 rejected by DMARC policy for agents.icims.com; from=<redacted+bounce+1lri-ec0a7e8591 at agents.icims.com> to=<redacted at example.com> proto=ESMTP helo=<icims-talentplatform-160152.email.icims.tools>
>
> Any help or direction is much appreciated.
>
> Dave
> _______________________________________________
> opendmarc-users mailing list
> opendmarc-users at trusteddomain.org
> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users

More information about the opendmarc-users mailing list