[opendmarc-users] OpenDMARC ignoring DKIM result, debugging

Ladislav Laska krakonos at krakonos.org
Fri Oct 1 08:13:19 PDT 2021 

Hi there OpenDMARC users!

I'm trying out deployment of OpenDMARC for my mailserver and got myself
stuck. OpenDMARC seems to ignore my OpenDKIM passed result and I don't
know how to debug it.

The main question is if there is a way to get some more debugging info
out of OpenDMARC? I tried setting MilterDebug to various values (5, 9,
255), with little effect.

Here is a bit of my setup: I'm running opendmarc 1.4.1.1-1 from
archlinux package. Pretty much standard configuration, verified the
AuthservIDs are the same (all HOSTNAME). The postfix is configured to
use the milters in the correct order (opendkim first):

smtpd_milters		        = inet:localhost:8891, unix:/run/opendmarc/opendmarc.sock
non_smtpd_milters		= inet:localhost:8891, unix:/run/opendmarc/opendmarc.sock

My log shows:

Oct 01 17:03:13 mouflon opendkim[50486]: D473D525A2: DKIM verification successful
Oct 01 17:03:13 mouflon opendmarc[50891]: D473D525A2 ignoring Authentication-Results at 6 from medusa.blackops.org
Oct 01 17:03:14 mouflon opendmarc[50891]: D473D525A2: SPF(mailfrom): trusteddomain.org pass
Oct 01 17:03:15 mouflon opendmarc[50891]: D473D525A2: trusteddomain.org pass

In this case, the SPF passed and it's OK. OpenDmarc does not mention
that DKIM passed too. Is that intentional?

Additionally, I have an email with the following headers (yes, it's a
mailing list):

Authentication-Results: mouflon; dmarc=fail (p=none dis=none) header.from=comcast.net
Authentication-Results: mouflon; spf=fail smtp.mailfrom=groups.io
Authentication-Results: mouflon;
        dkim=pass (1024-bit key) header.d=groups.io header.i=@groups.io header.b=OZOfLbUX


DKIM passed, SPF did not. However, dmarc failed anyway and I'm stuck
trying to debug that. Unfortunately, I did not have MilterDebug high
enough to at least see more data, I only see that opendkim passed.
Waiting for more emails like that to arrive, as I don't want to go
through the hassle of making dkim-passed spf failed emails by myself.

Any ideas on how to debug the problem?

Cheers,
Ladislav
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20211001/4613a47a/attachment.pgp>

More information about the opendmarc-users mailing list