[opendmarc-users] OpenDMARC ignoring DKIM result, debugging

Ladislav Laska krakonos at krakonos.org
Fri Oct 1 13:12:23 PDT 2021 

This email thew me into a loop, as it passed everything. Until I
realized it came through directly, not via the list. I've cc'd the list
back just to note my summary.

After looking into all the data, I think I understand what's going on.
It's a bit convoluted to be honest. The major mistake I made is that I
assumed the SPF and DKIM are checked against header From:, not
envelope-from. This means SPF can pass with envelope-from, but DMARC
later still fails due to envelope-from not matching header From:. I
guess the same happens for DKIM.

Basically, failed expectation, and here I though DMARC could actually
solve at least some issue.

Thanks for the explanation though!

PS: As to the logging: Looking at the source code, it appears opendmarc
does not check DKIM when the SPF is already good enough to pass DMARC.
This is why there is no mention of DKIM if SPF passes, but there still
appears to be missing log for the potential DKIM fail. Also, a lot of
error messages end up in log notice, which I guess is not picked up by
systemd (will look more into that). MilterDebug appears to have no
effect on the whole opendmarc codebase and is inly passed to the milter
library.

Cheers,
Ladislav

On Fri, Oct 01, 2021 at 01:36:13PM -0400, list at ptld.com wrote:
> > Authentication-Results: mouflon; dmarc=fail (p=reject dis=none)
> > header.from=ptld.com
> > Authentication-Results: mouflon; spf=pass
> > smtp.mailfrom=trusteddomain.org
> > Authentication-Results: mouflon; dkim=fail reason="signature
> > verification failed" (2048-bit key) header.d=ptld.com header.i=@ptld.com
> > header.b=hDllrs9n
> 
> > Here the SPF passed, but DKIM failed (I guess the mailing list touched
> > something it shouldn't have?).
> 
> > Anyway, the dmarc still failed, even though SPF passed. I'd like to
> > point out that SPF check was performed using OpenDMARC itself.
> 
> spf passed for trusteddomain.org
> But the email (header-from) is from list at ptld.com
> trusteddomain.org != ptld.com and this is why dmarc failed.
> 
> Otherwise i could send an email to you from president at whitehouse.gov
> delivered to you by my server ptld.com. SPF would pass for ptld.com because
> the email really did come from ptld.com. But do you think
> president at whitehouse.gov should come from ptld.com? Would you want that spam
> email?
> 
> Look at the headers and logs for this email. You will see what you are
> expecting. Because its an email from list at ptld.com sent by the ptld.com
> server. Alignment matches.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20211001/8e6b3808/attachment.pgp>

More information about the opendmarc-users mailing list