[opendmarc-users] SPF record macro expansion
A. Schulze
sca at andreasschulze.de
Wed Sep 7 06:19:19 PDT 2022
Steve Siirila:
> Has anyone experienced issues with DMARC validation of email coming from
> sites which should pass SPF and therefore pass DMARC but don't?
>
> In our real-life example, we are receiving email from Service Now IP
> addresses with a sender (envelope FROM) domain of USER at purestorage.com and
> a header FROM domain of USER at purestorage.com. Because purestorage.com has
> a DMARC reject policy, either SPF or DKIM must pass before we will accept
> the email. There is no DKIM record, and the SPF record is rather complex:
>
> purestorage.com. 300 IN TXT "v=spf1
> include:purestorage.com._nspf.vali.email
> include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
>
> After substituting IP address, helo name, and domain name in the above, the
> returned SPF record resolves to this value:
>
> "v=spf1 include:service-now.com -all"
>
> As such, DMARC should pass, but does not. Is opendmarc known to have
> issues with SPF record macro expansion? Has anyone had any experience with
> this sort of setup?
Hello,
yep, I see the same problem, using opendmarc build with libspf2
currently I use an older version from debian stretch but an update to
debian bullseye
will happen the next days here.
The issue is generating trouble because the messages in question are
not DKIM signed but the domain use p=reject.
valimail should really tell it's customer "this isn't best practice at
all" but that don't helo here ...
Andreas
More information about the opendmarc-users
mailing list