[opendmarc-users] SPF record macro expansion
Scott Kitterman
sklist at kitterman.com
Tue Sep 6 18:08:05 PDT 2022
On September 6, 2022 8:57:35 PM UTC, Steve Siirila <sfs at umn.edu> wrote:
>Has anyone experienced issues with DMARC validation of email coming from
>sites which should pass SPF and therefore pass DMARC but don't?
>
>In our real-life example, we are receiving email from Service Now IP
>addresses with a sender (envelope FROM) domain of USER at purestorage.com and
>a header FROM domain of USER at purestorage.com. Because purestorage.com has
>a DMARC reject policy, either SPF or DKIM must pass before we will accept
>the email. There is no DKIM record, and the SPF record is rather complex:
>
>purestorage.com. 300 IN TXT "v=spf1
>include:purestorage.com._nspf.vali.email
>include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
>
>After substituting IP address, helo name, and domain name in the above, the
>returned SPF record resolves to this value:
>
>"v=spf1 include:service-now.com -all"
>
>As such, DMARC should pass, but does not. Is opendmarc known to have
>issues with SPF record macro expansion? Has anyone had any experience with
>this sort of setup?
It's been a long time since I looked, but when I did, the internal SPF code didn't support SPF macros. If you are using the internal SPF implementation, this is probably a result of that limitation. You can either compile against libspf2 to get a more robust internal capability or use a separate SPF processor to look first (opendmarc will get the SPF result from the header field it inserts). Alternately, macros were later implemented in opendmarc and my experience is obsolete.
Scott K
More information about the opendmarc-users
mailing list