[opendmarc-users] Rejecting DMARC errors

Juri Haberland juri at sapienti-sat.org
Thu Jun 13 04:53:31 PDT 2019


On 2019-06-13 12:43, Lefteris Tsintjelis wrote:
> On 13/6/2019 12:51, Juri Haberland wrote:
>> On 2019-06-13 10:45, Lefteris Tsintjelis wrote:

>> A receiver without DMARC checking would accept the mail anyway, so why 
>> would it be a security issue if a receiver /with/ DMARC checking 
>> accepts it, too?
> 
> Because the DomainKey ADSP policy (dkim=all) is set for all outgoing
> mail to be DKIM signed and therefore an unsigned mail with DMARC
> policy set to reject should be rejected.

DMARC does not enforce DKIM policies - it does enforce DMARC policies.
ADSP is considered dead. From RFC 7489, appendix A.5:
>  DMARC has been characterized as a "super-ADSP" of sorts.
See also https://dmarcian.com/adsp-and-dmarc/


>>>>> 2) Also, when an email arrives from an older domain using DomainKey
>>>>> OpenDMARC is doing the exact same thing, generates an error but 
>>>>> email
>>>>> is accepted.
>>>> 
>>>> DomainKey is obsolete and not part of the DMARC RFC and therefor not 
>>>> supported by OpenDMARC.
>>> 
>>> That would have been perfectly acceptable also as it is obsolete. Why
>>> is there an interaction with DomainKey-Signature then and I get a
>>> "dmarc=permerror" in Authentication-Results header? Shouldn't it be
>>> completely ignored without any permerror generated?

>>> Header example:
>>> 
>>> Authentication-Results: mx.domain.com; dmarc=permerror 
>>> header.from=old.domainkey.com

I've checked the sources and - if I didn't miss anything - 
"dmarc=permerror" is only used, if something was wrong with the DMARC 
DNS record. In such cases you should see something like the following 
your logs:
> opendmarc[<pid<]: <jobid> opendmarc_policy_query_dmarc(<sender.domain>) 
> returned status <x>
It has nothing to do with old DpomainKeys as it is completely ignored.


Cheers,
   Juri


More information about the opendmarc-users mailing list