[opendmarc-users] Rejecting DMARC errors
Lefteris Tsintjelis
lefty at spes.gr
Thu Jun 13 03:43:49 PDT 2019
On 13/6/2019 12:51, Juri Haberland wrote:
> On 2019-06-13 10:45, Lefteris Tsintjelis wrote:
>> On 13/6/2019 9:17, Juri Haberland wrote:
>>> On 2019-06-12 12:03, Lefteris Tsintjelis wrote:
>
>>> OpenDMARC does not check DKIM by itself - it relies on other software
>>> to do that and expects that other software (e.g. OpenDKIM) to add an
>>> Authentication-Results header with the result of the DKIM check.
>>
>> I can understand that relies to OpenDKIM but it seems to ignore the
>> DKIM results in case of DKIM errors. Shouldn't OpenDMARC check the
>> domain's policy and act accordingly? By accepting any email in case of
>> such errors even if domain.com policy is set to reject then it clearly
>> opens a big security issue here.
>
> A receiver without DMARC checking would accept the mail anyway, so why
> would it be a security issue if a receiver /with/ DMARC checking accepts
> it, too?
Because the DomainKey ADSP policy (dkim=all) is set for all outgoing
mail to be DKIM signed and therefore an unsigned mail with DMARC policy
set to reject should be rejected.
> The DMARC RFC (7487) states at the end of section 6.6.2:
>> Handling of messages for which SPF and/or DKIM evaluation encounter a
>> permanent DNS error is left to the discretion of the Mail Receiver.
>
>>>> 2) Also, when an email arrives from an older domain using DomainKey
>>>> OpenDMARC is doing the exact same thing, generates an error but email
>>>> is accepted.
>>>
>>> DomainKey is obsolete and not part of the DMARC RFC and therefor not
>>> supported by OpenDMARC.
>>
>> That would have been perfectly acceptable also as it is obsolete. Why
>> is there an interaction with DomainKey-Signature then and I get a
>> "dmarc=permerror" in Authentication-Results header? Shouldn't it be
>> completely ignored without any permerror generated?
>
> I doubt that there really is an interaction with the DomainKey signature.
>
>> Header example:
>>
>> Authentication-Results: mx.domain.com; dmarc=permerror
>> header.from=old.domainkey.com
>> Authentication-Results: mx.domain.com; spf=pass
>> smtp.mailfrom=user at bounces.domainkey.com
>> Authentication-Results: mx.domain.com; dkim=none
>> DomainKey-Signature: ...
>
> What does OpenDMARC log in such a case - maybe the problem is not the
> authentication results, but somewhere in the sender's DMARC record?
>
> Un-obfuscated examples would be nice...
Yes, just checked their DMARC record and this seems to be the problem
here. Sender DNS has DMARC set but seems to sign using old
DomainKey-signature instead of DKIM. I have already contacted them about
their obsolete DomainKey usage but never got back a response. Wouldn't
want to give any more info as it is a very old and well known anti spam
service. Hopefully they will fix this.
>> OpenDKIM v2.10.3 settings:
>
> ... looking good so far...
>
>> OpenDMARC v1.3.2 settings:
>> [...]
>> SPFSelfValidate true
>
> Be careful with the internal SPF code. Be sure that your binary uses
> libspf2, or else the SPF results will be wrong!
I am using libspf2 and also another separate policy spf service so no
problems there. Besides, DMARC's spf always agrees so no issues.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4151 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190613/bd884a46/attachment-0001.bin>
More information about the opendmarc-users
mailing list