[opendmarc-users] OpenDMARC v1.3.2 behaving differently with IPv4 and IPv6.

Scott Kitterman sklist at kitterman.com
Mon Sep 25 13:01:20 PDT 2017 

On Monday, September 25, 2017 12:50:29 PM Grant Taylor wrote:
> Hi,
> 
> I would like some help / guidance on how to further diagnose what I
> believe is a difference in OpenDMARC behavior between IPv4 and IPv6.
> 
> The same set of sending and receiving hosts (tncsrv05 and tncsrv06
> respectively) behave differently depending if IPv4 or IPv6 is used.  -
> The only change between tests is removing the IPv6 default gateway on
> the sending host, thereby forcing it to use IPv4.
> 
> When IPv6 is used, OpenDMARC is happy and passes the message without any
> problems.
> 
> > job v8PI5hC7018860
> > reporter tncsrv06.tnetconsulting.net
> > received 1506362745
> > ipaddr 2a01:7e00::f03c:91ff:fe89:2935
> > from tncsrv05.tnetconsulting.net
> > mfrom tncsrv05.tnetconsulting.net
> > spf 0
> > pdomain tnetconsulting.net
> > policy 15
> > rua mailto:dmarc at tnetconsulting.net
> > pct 100
> > adkim 114
> > aspf 114
> > p 114
> > sp 114
> > align_dkim 5
> > align_spf 4
> > action 2
> 
> When IPv4 is used, OpenDMARC is unhappy and states that the message
> fails SPF and thus DMARC.
> 
> > job v8PHvO2E018624
> > reporter tncsrv06.tnetconsulting.net
> > received 1506362246
> > ipaddr 109.74.192.125
> > from tncsrv05.tnetconsulting.net
> > mfrom tncsrv05.tnetconsulting.net
> > spf 7
> > pdomain tnetconsulting.net
> > policy 16
> > rua mailto:dmarc at tnetconsulting.net
> > pct 100
> > adkim 114
> > aspf 114
> > p 114
> > sp 114
> > align_dkim 5
> > align_spf 5
> > action 2
> 
> Below is the SPF record.  It looks like SPF should pass for both IPv6
> and IPv4.
> 
> > # dig +short +noshort txt tncsrv05.tnetconsulting.net
> > tncsrv05.tnetconsulting.net. 86399 IN   TXT     "v=spf1 ip4:109.74.192.125
> > ip6:2a01:7e00::f03c:91ff:fe89:2935 -all" # dig +short +noshort txt
> > tnetconsulting.net
> > tnetconsulting.net.     86399   IN      TXT     "v=spf1 ip4:109.74.192.125
> > ip6:2a01:7e00::f03c:91ff:fe89:2935 ip4:45.33.28.24
> > ip6:2600:3c00::f03c:91ff:fe26:8849 -all"
> I compiled OpenDMARC v1.3.2, --with-spf & --with-milter, last night and
> it doesn't seem to make any difference.
> 
> Does anyone have any recommendations on what I should check next, or
> possibly even do to fix this?
> 
> I feel like this is a symptom of an underlying problem that is causing
> OpenDMARC to incorrectly fail messages.  As such, I have OpenDMARC
> configured to only report, and not actually reject messages.
> 
> > # egrep "^[^#]" /etc/opendmarc.conf | sort
> > AuthservID tncsrv06.tnetconsulting.net
> > FailureReportsBcc dmarc-ofr at tnetconsulting.net
> > FailureReports false
> > HistoryFile /var/run/opendmarc/opendmarc.history
> > IgnoreAuthenticatedClients true
> > IgnoreHosts /etc/opendmarc.conf.ignore.hosts
> > PidFile /var/run/opendmarc.pid
> > PublicSuffixList /etc/mail/effective_tld_names.dat
> > RejectFailures false
> > Socket unix:/var/run/opendmarc/opendmarc.sock
> > SoftwareHeader true
> > SPFSelfValidate true
> > Syslog true
> > TrustedAuthservIDs tncsrv06.tnetconsulting.net,tncsrv06
> > UMask 0002
> 
> I'm using Sendmail 8.15.2 w/ OpenDMARC configured as a MAIL_FILTER and
> specifying it as an InputMailFilter on the DaemonPortOptions line.
> 
> Thank you in advance for any recommendations that you have.

Are you using the internal opendmarc SPF implementation?  Did you use libspf2?  
Or do you have an external SPF checker that's adding a header field that 
opendmarc reads?

Scott K

More information about the opendmarc-users mailing list