[opendmarc-users] Rejecting DMARC errors

Juri Haberland juri at sapienti-sat.org
Thu Jun 13 02:51:08 PDT 2019


On 2019-06-13 10:45, Lefteris Tsintjelis wrote:
> On 13/6/2019 9:17, Juri Haberland wrote:
>> On 2019-06-12 12:03, Lefteris Tsintjelis wrote:

>> OpenDMARC does not check DKIM by itself - it relies on other software 
>> to do that and expects that other software (e.g. OpenDKIM) to add an 
>> Authentication-Results header with the result of the DKIM check.
> 
> I can understand that relies to OpenDKIM but it seems to ignore the
> DKIM results in case of DKIM errors. Shouldn't OpenDMARC check the
> domain's policy and act accordingly? By accepting any email in case of
> such errors even if domain.com policy is set to reject then it clearly
> opens a big security issue here.

A receiver without DMARC checking would accept the mail anyway, so why 
would it be a security issue if a receiver /with/ DMARC checking accepts 
it, too?

The DMARC RFC (7487) states at the end of section 6.6.2:
>   Handling of messages for which SPF and/or DKIM evaluation encounter a
>   permanent DNS error is left to the discretion of the Mail Receiver.

>>> 2) Also, when an email arrives from an older domain using DomainKey
>>> OpenDMARC is doing the exact same thing, generates an error but email
>>> is accepted.
>> 
>> DomainKey is obsolete and not part of the DMARC RFC and therefor not 
>> supported by OpenDMARC.
> 
> That would have been perfectly acceptable also as it is obsolete. Why
> is there an interaction with DomainKey-Signature then and I get a
> "dmarc=permerror" in Authentication-Results header? Shouldn't it be
> completely ignored without any permerror generated?

I doubt that there really is an interaction with the DomainKey 
signature.

> Header example:
> 
> Authentication-Results: mx.domain.com; dmarc=permerror
> header.from=old.domainkey.com
> Authentication-Results: mx.domain.com; spf=pass
> smtp.mailfrom=user at bounces.domainkey.com
> Authentication-Results: mx.domain.com; dkim=none
> DomainKey-Signature: ...

What does OpenDMARC log in such a case - maybe the problem is not the 
authentication results, but somewhere in the sender's DMARC record?

Un-obfuscated examples would be nice...

> OpenDKIM v2.10.3 settings:

... looking good so far...

> OpenDMARC v1.3.2 settings:
> [...]
> SPFSelfValidate            true

Be careful with the internal SPF code. Be sure that your binary uses 
libspf2, or else the SPF results will be wrong!


Cheers,
   Juri


More information about the opendmarc-users mailing list