[opendmarc-users] Rejecting DMARC errors

Lefteris Tsintjelis lefty at spes.gr
Thu Jun 13 01:45:58 PDT 2019 

On 13/6/2019 9:17, Juri Haberland wrote:
> On 2019-06-12 12:03, Lefteris Tsintjelis wrote:
>> Hi, I am having problems with rejecting errors.
>>
>> 1) When an email arrives without any DKIM signature from a DKIM signed
>> domain, OpenDMARC generates an error (dmarc=permerror) but it does not
>> reject the email according to domain policy set as reject.
> 
> OpenDMARC does not check DKIM by itself - it relies on other software to 
> do that and expects that other software (e.g. OpenDKIM) to add an 
> Authentication-Results header with the result of the DKIM check.

I can understand that relies to OpenDKIM but it seems to ignore the DKIM 
results in case of DKIM errors. Shouldn't OpenDMARC check the domain's 
policy and act accordingly? By accepting any email in case of such 
errors even if domain.com policy is set to reject then it clearly opens 
a big security issue here.

>> 2) Also, when an email arrives from an older domain using DomainKey
>> OpenDMARC is doing the exact same thing, generates an error but email
>> is accepted.
> 
> DomainKey is obsolete and not part of the DMARC RFC and therefor not 
> supported by OpenDMARC.

That would have been perfectly acceptable also as it is obsolete. Why is 
there an interaction with DomainKey-Signature then and I get a 
"dmarc=permerror" in Authentication-Results header? Shouldn't it be 
completely ignored without any permerror generated?

Header example:

Authentication-Results: mx.domain.com; dmarc=permerror 
header.from=old.domainkey.com
Authentication-Results: mx.domain.com; spf=pass 
smtp.mailfrom=user at bounces.domainkey.com
Authentication-Results: mx.domain.com; dkim=none
DomainKey-Signature: ...

>> I want to enforce the policy according to what is set in domain's DNS 
>> in case 1
>>
>> In case 2 I would like to accept the email if DomainKey checks correctly.
>>
>> Is this possible with OpenDMARC?
> 
> Yes to 1), no to 2). Please tell us more about your configuration...

I am using both OpenDKIM and OpenDMARC set as

OpenDKIM v2.10.3 settings:

AlwaysAddARHeader     yes
Canonicalization      relaxed/relaxed
Domain                domain.com
KeyFile               private.pem
OverSignHeaders       From
Selector              select
Socket                local:dkim
SubDomains            Yes
Syslog                Yes
UMask                 0111

OpenDMARC v1.3.2 settings:

AuthservID                 HOSTNAME
FailureReportsBcc          postmaster at domain.com
FailureReportsSentBy       postmaster at domain.com
HistoryFile                history.dat
IgnoreAuthenticatedClients true
IgnoreHosts                ignore.hosts
PublicSuffixList           effective_tld_names.dat
RejectFailures             true
SPFIgnoreResults           true
SPFSelfValidate            true
Syslog                     true
UMask                      0111

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4151 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190613/9c92b29d/attachment.bin>

More information about the opendmarc-users mailing list