[opendmarc-users] OpenDMARC ignoring DKIM result, debugging

Dan Mahoney danm at prime.gushi.org
Sun Oct 3 22:22:57 PDT 2021 

Reworking the mailing lists (and most of the infrastrucure that runs trusteddomainproject stuff) is on our radar.  Visiting the datacenter sometime in 2020...something happened...trying to remember what...

Stay safe out there.

-Dan

> On Oct 1, 2021, at 10:25 AM, Ladislav Laska <krakonos at krakonos.org> wrote:
> 
> Signed PGP part
> Thanks. I'm still not happy though, I'd like a way to verify this is
> actually the case. Is there no way of getting more info on why the dmarc
> check resulted in fail?
> 
> Also, is this mailing list setup incorrectly? Looked up your message and
> found:
> 
> Authentication-Results: mouflon; dmarc=fail (p=reject dis=none) header.from=ptld.com
> Authentication-Results: mouflon; spf=pass smtp.mailfrom=trusteddomain.org
> Authentication-Results: mouflon;
>        dkim=fail reason="signature verification failed" (2048-bit key) header.d=ptld.com
>        header.i=@ptld.com header.b=hDllrs9n
> 
> Here the SPF passed, but DKIM failed (I guess the mailing list touched
> something it shouldn't have?).
> 
> Anyway, the dmarc still failed, even though SPF passed. I'd like to
> point out that SPF check was performed using OpenDMARC itself.
> 
> Regards,
> Ladislav
> 
> On Fri, Oct 01, 2021 at 12:04:53PM -0400, list at ptld.com wrote:
>>> Oct 01 17:03:13 mouflon opendkim[50486]: D473D525A2: DKIM verification
>>> successful
>>> Oct 01 17:03:13 mouflon opendmarc[50891]: D473D525A2 ignoring
>>> Authentication-Results at 6 from medusa.blackops.org
>>> Oct 01 17:03:14 mouflon opendmarc[50891]: D473D525A2: SPF(mailfrom):
>>> trusteddomain.org pass
>>> Oct 01 17:03:15 mouflon opendmarc[50891]: D473D525A2: trusteddomain.org
>>> pass
>> 
>>> Authentication-Results: mouflon; dmarc=fail (p=none dis=none)
>>> header.from=comcast.net
>>> Authentication-Results: mouflon; spf=fail smtp.mailfrom=groups.io
>>> Authentication-Results: mouflon; dkim=pass (1024-bit key)
>>> header.d=groups.io header.i=@groups.io header.b=OZOfLbUX
>> 
>> 
>> Nothing is wrong, many mailing list are not setup right. What you are seeing
>> is an alignment issue between the envelope and header from. You have a
>> situation where you are getting an email from ???@groups.io but it was sent
>> from blackops.org / trusteddomain.org
>> 
>> SPF passed for trusteddomain.org, but the email header From: is
>> ???@groups.io. Even though SPF passed, it passed for the wrong domain. It
>> didn't pass for groups.io which is who the email is from. As you see in the
>> logs spf=fail for groups.io.
>> 
>> Same issue for dkim, dkim passed for groups.io but the mail was received
>> from medusa.blackops.org
>> 
>> When it says DKIM verfication successful, its just reporting that it found a
>> signature and the signature is valid, but doesn't mean its the right
>> signature needed based on who is sending that email.
>> _______________________________________________
>> opendmarc-users mailing list
>> opendmarc-users at trusteddomain.org
>> http://www.trusteddomain.org/mailman/listinfo/opendmarc-users
>

More information about the opendmarc-users mailing list