[opendmarc-users] Fw: DMARC fail and reject for one sender

Dave Jones dave at jonesol.com
Fri May 19 07:06:53 PDT 2017 

My mail logs say that this SPF check is failing.  Does opendmarc
support that type of SPF record for agents.icims.com?  SpamAssassin
says it is passing SPF checks.

I think I may try "SPFIgnoreResults false" and "SPFSelfValidate false"
to see if that helps.  Both are true right now.

Dave

On Fri, May 19, 2017 at 8:59 AM, David Jones <djones at ena.com> wrote:
>
>
>
> ________________________________
> From: David Jones
> Sent: Thursday, May 18, 2017 3:10 PM
> To: Simon; opendmarc-users at trusteddomain.org
> Subject: Re: [opendmarc-users] DMARC fail and reject for one sender
>
>>From: Simon <sim at 4lists.simonliebold.de>
>
>>> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom):
>>> redacted+bounce+1lri->ec0a7e8591 at agents.icims.com fail
>>Not sure if I can help. Just guessing: Does "opendmarc -V" return these
>>lines?
>
>>    Active code options:
>>        WITH_SPF
>>        WITH_SPF2
>
> # opendmarc -V
> opendmarc: OpenDMARC Filter v1.3.2
>         SMFI_VERSION 0x1000001
>         libmilter version 1.0.1
>         Active code options:
>                 WITH_SPF
>                 WITH_SPF2
>
>>> c=simple/simple;
>>DKIM wasn't valid, I guess?
>
> I think DKIM is passing but I am not 100% sure.  I can adjust some settings
> and see if DKIM passes if that is needed to troubleshoot.  Currently DKIM is
> being skipped by SpamAssassin because the SPF plugin in SA says that SPF is
> passing.  Interesting that SA hits the SPF_PASS rule and opendmarc says SPF
> fail.  Does this point to a bug in opendmarc with this "dynamic" SPF record?
>
> The Postfix logs indicate that it fails due to SPF:
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom):
> redacted+bounce+1lri-ec0a7e8591 at agents.icims.com fail
> May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: agents.icims.com
> fail
>
>>Does this happen with every single of their messages or just from time
>>to time?
>
> Every message.
>
>>Simon
>
>>p.s.:
>>> Authentication-Results: mail.simonliebold.de; dmarc=fail (p=reject
>>> dis=none) header.from=ena.com
>>Ironically, this list cannot deal with "reject" domains. I use a
>>dedicated sub-domain for these kind of lists plus the "Override MLM" patch.
>
> Do I need to subscribe with a different email address?  I am not going to
> change our ena.com away from p=reject.
>
> Dave

More information about the opendmarc-users mailing list