<div dir="ltr"><div><div>Hello Stefan,<br></div>it looks like by "dmarc=none" and "dmarc=fail", you're referring to the disposition field in XML, is this correct? The disposition may be any of none/reject/quarantine. Since the domain you're referring to has a policy p=none, the disposition (what the MTA did with the message because of DMARC results) should never be anything other than 'none', unless there are override reasons specified.<br></div>A DMARC-fail result for the message represented by the XML record object you listed is implicit due to neither of the policy_evaluated dkim/spf being 'pass'.<br><div><br></div><div>I hope this helps.<br><br></div><div>Regards,<br></div><div>--Tomki<br><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 17, 2016 at 4:56 PM, Stefan Tittel <span dir="ltr"><<a href="mailto:stefan@tittel.net" target="_blank">stefan@tittel.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<br>
<br>
I deployed OpenDMARC on Debian Jessie using the 1.3.1 package from jessie-backports. My MTA is Postfix, DKIM headers are written by OpenDKIM and SPF headers are written by python-policyd-spf, SPFSelfValidate is off.<br>
<br>
When it comes to successfully validating mails that are supposed to pass DMARC, things look mostly fine and consistent. However I just stumbled upon a result that I cannot explain.<br>
<br>
DMARC record of <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> (the From domain):<br>
------------------------------<wbr>----------------<br>
"v=DMARC1; p=none; rua=mailto:<a href="mailto:dmarc@example.com" target="_blank">dmarc@example.com</a>; ruf=mailto:<a href="mailto:dmarc@example.com" target="_blank">dmarc@example.com</a>; fo=0:d:s"<br>
<br>
<br>
Relevant mail headers:<br>
----------------------<br>
Return-Path: <<a href="mailto:aohmhdhkoumifukgke.uahokifhfg@subdomain.someothersite.com" target="_blank">aohmhdhkoumifukgke.uahokifhfg<wbr>@subdomain.someothersite.com</a>><br>
Delivered-To: <<a href="mailto:me@mysite.com" target="_blank">me@mysite.com</a>><br>
Received: from <a href="http://myserver.mysite.com" rel="noreferrer" target="_blank">myserver.mysite.com</a><br>
by <a href="http://myserver.mysite.com" rel="noreferrer" target="_blank">myserver.mysite.com</a> (Dovecot) with LMTP id ESTmCWiGBFgdUAAAFMX49g<br>
for <<a href="mailto:me@mysite.com" target="_blank">me@mysite.com</a>>; Mon, 17 Oct 2016 10:06:00 +0200<br>
Authentication-Results: <a href="http://myserver.mysite.com" rel="noreferrer" target="_blank">myserver.mysite.com</a>; spf=pass (sender SPF authorized) smtp.mailfrom=<a href="http://subdomain.someothersite.com" rel="noreferrer" target="_blank">subdomain.someot<wbr>hersite.com</a> (client-ip=123.123.123.123; helo=<a href="http://sendermailserver.differentsite.com" rel="noreferrer" target="_blank">sendermailserver.differen<wbr>tsite.com</a>; envelope-from=<a href="mailto:aohmhdhkoumifukgke.uahokifhfg@subdomain.someothersite.com" target="_blank">aohmhdhkoumifukg<wbr>ke.uahokifhfg@subdomain.someot<wbr>hersite.com</a>; receiver=<a href="mailto:myotherself@mysite.com" target="_blank">myotherself@mysite.co<wbr>m</a>)<br>
Authentication-Results: <a href="http://myserver.mysite.com" rel="noreferrer" target="_blank">myserver.mysite.com</a>; dmarc=none header.from=<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
Authentication-Results: <a href="http://myserver.mysite.com" rel="noreferrer" target="_blank">myserver.mysite.com</a>;<br>
dkim=pass (2048-bit key; unprotected) header.d=<a href="http://differentsite.com" rel="noreferrer" target="_blank">differentsite.com</a> header.i=@<a href="http://differentsite.com" rel="noreferrer" target="_blank">differentsite.com</a> header.b=d74dTJT2;<br>
dkim-adsp=none (unprotected policy); dkim-atps=neutral<br>
Received: from <a href="http://sendermailserver.differentsite.com" rel="noreferrer" target="_blank">sendermailserver.differentsite<wbr>.com</a> (<a href="http://sendermailserver.differentsite.com" rel="noreferrer" target="_blank">sendermailserver.differentsit<wbr>e.com</a> [123.123.123.123])<br>
by <a href="http://myserver.mysite.com" rel="noreferrer" target="_blank">myserver.mysite.com</a> (Postfix) with ESMTPS id 895D94045E<br>
for <<a href="mailto:myotherself@mysite.com" target="_blank">myotherself@mysite.com</a>>; Mon, 17 Oct 2016 10:05:56 +0200 (CEST)<br>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; s=k; d=<a href="http://differentsite.com" rel="noreferrer" target="_blank">differentsite.com</a>;<br>
h=Date:From:To:Subject:Messag<wbr>e-ID:List-Unsubscribe:MIME-<wbr>Version:Content-Type;<br>
bh=4pCHK+R2MG3DvF38W2PVLzbeul<wbr>J5wby0VB+pvymocOk=;<br>
b=d74dTJT2T3/e8OUN/Mb7fpYjHZj<wbr>rPUNnzSvv6gle1O9arrFPDyFlINqmP<wbr>2bd9+l7SZFHzNCSfkFs<br>
1MPdUveFT6g4T33yE4+i3s6hTI/Il<wbr>QrKlhFOis9eYqs4wIdCfGgvRM5qVMQ<wbr>PvRj5TgMPNCq8bEdG<br>
gDMVd0crrasji/6WvZZTZv+/Hh0N3<wbr>vvvXT4tcx1aEUi51KHerAyrZW8EmeI<wbr>oXKLuVXwx6eOIDBVO<br>
<wbr>sTU2NTJwABlERzPnqQD8sBOQw9aWow<wbr>wrjRiuCsBG5PQM0icSz5CnMaOWkA4+<wbr>Swv28G2IoqnSyJj+<br>
eY6IU8l0yJ2479vp6/Z6VZ6mzrcd/<wbr>BRQ3bz2AQ==<br>
Date: Mon, 17 Oct 2016 10:05:49 +0200<br>
From: "Sender Name" <<a href="mailto:info@example.com" target="_blank">info@example.com</a>><br>
To: <a href="mailto:myotherself@mysite.com" target="_blank">myotherself@mysite.com</a><br>
<br>
<br>
In short: DKIM passes for the non-aligned domain "<a href="http://differentsite.com" rel="noreferrer" target="_blank">differentsite.com</a>" and SPF passes for the non-aligned domain "<a href="http://subdomain.someothersite.com" rel="noreferrer" target="_blank">subdomain.someothersite.com</a>". The From domain has a valid DMARC record and since both DKIM and SPF are non-aligned, I would expect "dmarc=fail" as authentication result of OpenDMARC, however it is "dmarc=none".<br>
<br>
In the aggregate report sent out to <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> everything looks like it's supposed to look (policy recognized, non-alignment of both SPF and DKIM leads to failed policy evaluation, raw results for SPF and DKIM are pass):<br>
<br>
<policy_published><br>
<domain><a href="http://example.com" rel="noreferrer" target="_blank">example.com</a></domain><br>
<adkim>r</adkim><br>
<aspf>r</aspf><br>
<p>none</p><br>
<sp>none</sp><br>
<pct>100</pct><br>
</policy_published><br>
<record><br>
<row><br>
<source_ip>123.123.123.123</s<wbr>ource_ip><br>
<count>1</count><br>
<policy_evaluated><br>
<disposition>none</disposition<wbr>><br>
<dkim>fail</dkim><br>
<spf>fail</spf><br>
</policy_evaluated><br>
</row><br>
<identifiers><br>
<header_from><a href="http://example.com" rel="noreferrer" target="_blank">example.com</a></hea<wbr>der_from><br>
</identifiers><br>
<auth_results><br>
<spf><br>
<domain><a href="http://subdomain.someothersite.com" rel="noreferrer" target="_blank">subdomain.someothersit<wbr>e.com</a></domain><br>
<result>pass</result><br>
</spf><br>
<dkim><br>
<domain><a href="http://differentsite.com" rel="noreferrer" target="_blank">differentsite.com</a></dom<wbr>ain><br>
<result>pass</result><br>
</dkim><br>
</auth_results><br>
</record><br>
<br>
Any ideas?<br>
<br>
Thank you in advance!<br>
Stefan<br>
<br>
PS.: <a href="http://example.com" rel="noreferrer" target="_blank">example.com</a> is actually a sports venue and this is happening with their newsletters and the unsubscribe mail for their newsletter. You can sign up for the newsletter here: <a href="http://www.sportpark-gelsenkirchen.de/infos/newsletter/" rel="noreferrer" target="_blank">http://www.sportpark-gelsenkir<wbr>chen.de/infos/newsletter/</a><br>
______________________________<wbr>_________________<br>
opendmarc-users mailing list<br>
<a href="mailto:opendmarc-users@trusteddomain.org" target="_blank">opendmarc-users@trusteddomain.<wbr>org</a><br>
<a href="http://www.trusteddomain.org/mailman/listinfo/opendmarc-users" rel="noreferrer" target="_blank">http://www.trusteddomain.org/m<wbr>ailman/listinfo/opendmarc-user<wbr>s</a><br>
</blockquote></div><br></div>