[opendmarc-users] Rejecting DMARC errors
Juri Haberland
juri at sapienti-sat.org
Thu Jun 13 04:53:31 PDT 2019
On 2019-06-13 12:43, Lefteris Tsintjelis wrote:
> On 13/6/2019 12:51, Juri Haberland wrote:
>> On 2019-06-13 10:45, Lefteris Tsintjelis wrote:
>> A receiver without DMARC checking would accept the mail anyway, so why
>> would it be a security issue if a receiver /with/ DMARC checking
>> accepts it, too?
>
> Because the DomainKey ADSP policy (dkim=all) is set for all outgoing
> mail to be DKIM signed and therefore an unsigned mail with DMARC
> policy set to reject should be rejected.
DMARC does not enforce DKIM policies - it does enforce DMARC policies.
ADSP is considered dead. From RFC 7489, appendix A.5:
> DMARC has been characterized as a "super-ADSP" of sorts.
See also https://dmarcian.com/adsp-and-dmarc/
>>>>> 2) Also, when an email arrives from an older domain using DomainKey
>>>>> OpenDMARC is doing the exact same thing, generates an error but
>>>>> email
>>>>> is accepted.
>>>>
>>>> DomainKey is obsolete and not part of the DMARC RFC and therefor not
>>>> supported by OpenDMARC.
>>>
>>> That would have been perfectly acceptable also as it is obsolete. Why
>>> is there an interaction with DomainKey-Signature then and I get a
>>> "dmarc=permerror" in Authentication-Results header? Shouldn't it be
>>> completely ignored without any permerror generated?
>>> Header example:
>>>
>>> Authentication-Results: mx.domain.com; dmarc=permerror
>>> header.from=old.domainkey.com
I've checked the sources and - if I didn't miss anything -
"dmarc=permerror" is only used, if something was wrong with the DMARC
DNS record. In such cases you should see something like the following
your logs:
> opendmarc[<pid<]: <jobid> opendmarc_policy_query_dmarc(<sender.domain>)
> returned status <x>
It has nothing to do with old DpomainKeys as it is completely ignored.
Cheers,
Juri
More information about the opendmarc-users
mailing list