[opendmarc-users] Rejecting DMARC errors
Juri Haberland
juri at sapienti-sat.org
Thu Jun 13 02:51:08 PDT 2019
On 2019-06-13 10:45, Lefteris Tsintjelis wrote:
> On 13/6/2019 9:17, Juri Haberland wrote:
>> On 2019-06-12 12:03, Lefteris Tsintjelis wrote:
>> OpenDMARC does not check DKIM by itself - it relies on other software
>> to do that and expects that other software (e.g. OpenDKIM) to add an
>> Authentication-Results header with the result of the DKIM check.
>
> I can understand that relies to OpenDKIM but it seems to ignore the
> DKIM results in case of DKIM errors. Shouldn't OpenDMARC check the
> domain's policy and act accordingly? By accepting any email in case of
> such errors even if domain.com policy is set to reject then it clearly
> opens a big security issue here.
A receiver without DMARC checking would accept the mail anyway, so why
would it be a security issue if a receiver /with/ DMARC checking accepts
it, too?
The DMARC RFC (7487) states at the end of section 6.6.2:
> Handling of messages for which SPF and/or DKIM evaluation encounter a
> permanent DNS error is left to the discretion of the Mail Receiver.
>>> 2) Also, when an email arrives from an older domain using DomainKey
>>> OpenDMARC is doing the exact same thing, generates an error but email
>>> is accepted.
>>
>> DomainKey is obsolete and not part of the DMARC RFC and therefor not
>> supported by OpenDMARC.
>
> That would have been perfectly acceptable also as it is obsolete. Why
> is there an interaction with DomainKey-Signature then and I get a
> "dmarc=permerror" in Authentication-Results header? Shouldn't it be
> completely ignored without any permerror generated?
I doubt that there really is an interaction with the DomainKey
signature.
> Header example:
>
> Authentication-Results: mx.domain.com; dmarc=permerror
> header.from=old.domainkey.com
> Authentication-Results: mx.domain.com; spf=pass
> smtp.mailfrom=user at bounces.domainkey.com
> Authentication-Results: mx.domain.com; dkim=none
> DomainKey-Signature: ...
What does OpenDMARC log in such a case - maybe the problem is not the
authentication results, but somewhere in the sender's DMARC record?
Un-obfuscated examples would be nice...
> OpenDKIM v2.10.3 settings:
... looking good so far...
> OpenDMARC v1.3.2 settings:
> [...]
> SPFSelfValidate true
Be careful with the internal SPF code. Be sure that your binary uses
libspf2, or else the SPF results will be wrong!
Cheers,
Juri
More information about the opendmarc-users
mailing list