[opendmarc-users] DMARC fail and reject for one sender
Simon
sim at 4lists.simonliebold.de
Thu May 18 13:40:41 PDT 2017
Am 18.05.2017 um 22:10 schrieb David Jones:
> # opendmarc -V
> opendmarc: OpenDMARC Filter v1.3.2
> SMFI_VERSION 0x1000001
> libmilter version 1.0.1
> Active code options:
> WITH_SPF
> WITH_SPF2
>
Looks ok to me. Please have a look at Juri's mail. He is the expert. I'm
just an "advanced user".
> I think DKIM is passing but I am not 100% sure. I can adjust some settings and see if DKIM passes if that is needed to troubleshoot. Currently DKIM is being skipped by SpamAssassin because the SPF plugin in SA says that SPF is passing. Interesting that SA hits the SPF_PASS rule and opendmarc says SPF fail. Does this point to a bug in opendmarc with this "dynamic" SPF record?
Usually one would set it up to do SPF+DKIM+DMARC first and only then
spend the CPU cycles for the content analysis using SA or similar filters.
Then, you also would have the second security layer if anything odd
happens like:
> The Postfix logs indicate that it fails due to SPF:
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom): redacted+bounce+1lri-ec0a7e8591 at agents.icims.com fail
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: agents.icims.com fail
Sorry, cannot tell, why this is happening.
>> Does this happen with every single of their messages or just from time
>> to time?
>
> Every message.
> Do I need to subscribe with a different email address? I am not going to change our ena.com away from p=reject.
No need to change your policy for your main domain. But you could use an
extra sub-domain exclusively for those mailing lists that cannot handle
DMARC-reject-enabled domains. See my "From:" address and its dedicated
p=none domain. Not ideal, but well...
Simon
More information about the opendmarc-users
mailing list