[opendmarc-users] strange logs, dmarc fail even on dkim=pass

A. Schulze sca at andreasschulze.de
Fri Aug 2 09:59:01 PDT 2024 

Hello,

today I found these logs:

Aug 02 12:02:32 maildomain postfix/smtpd[755948]: 4Wb1bX4v6yzC6: client=mx0b-00151a02.pphosted.com[67.231.156.68]:20428
Aug 02 12:02:32 maildomain postfix/cleanup[756091]: 4Wb1bX4v6yzC6: message-id=<1292890066.536.1722592945483 at red-inf-mft-p01.esri.com>
02.08.24 12:02:32,908 opendkim: 4Wb1bX4v6yzC6: mx0b-00151a02.pphosted.com [67.231.156.68] not internal
02.08.24 12:02:32,910 opendkim: 4Wb1bX4v6yzC6: not authenticated
02.08.24 12:02:32,910 opendkim: 4Wb1bX4v6yzC6: message has signatures from maps.com, esri.com
02.08.24 12:02:38,149 opendkim: 4Wb1bX4v6yzC6: DKIM verification successful
02.08.24 12:02:38,150 opendmarc: 4Wb1bX4v6yzC6: SPF(mailfrom): esri.com fail
02.08.24 12:02:38,735 opendmarc: 4Wb1bX4v6yzC6: esri.com fail
Aug 02 12:02:38 maildomain postfix/cleanup[756091]: 4Wb1bX4v6yzC6: milter-reject: END-OF-MESSAGE from mx0b-00151a02.pphosted.com[67.231.156.68]: 5.7.1 rejected by DMARC policy for esri.com; from=<redacted at esri.com> to=<redacted at some_local_domain.example.com> proto=ESMTP helo=<mx0b-00151a02.pphosted.com>

the line "message has signatures from maps.com, esri.com" tells me, there where two DKIM signatures on the message and both where successful validated

the line "opendmarc: 4Wb1bX4v6yzC6: esri.com fail" tells me, the 5322.From header was something like "From: <irrelevant at ersi.com>"

I wonder, why OpenDMARC did not came to a result "ersi.com pass"

Note the delay after "message has signatures from maps.com, esri.com": there are more then 5 seconds.

If I test the spf data, it looks good:

# spfquery -ip 67.231.156.68 -sender redacted at esri.com -helo mx0b-00151a02.pphosted.com
pass

spfquery: domain of esri.com designates 67.231.156.68 as permitted sender
Received-SPF: pass (spfquery: domain of esri.com designates 67.231.156.68 as permitted sender) client-ip=67.231.156.68; envelope-from=redacted at esri.com; helo=mx0b-00151a02.pphosted.com;

My wild guess: OpenDMARC (using "SPFSelfValidate yes") run in a DNS timeout. And in this case, other codepaths are active which let OpenDMARC not take the dkim=pass
to build a positive DMARC result.

the logs above are produces on the same host, where spfquery was run (much later)
Also I'm sure, OpenDMARC and spfquery use the same /lib/libspf2

As the message was rejected, I do not have access to the message content.
Any ideas?

Andreas

More information about the opendmarc-users mailing list