SPF of DMARC problem

Bugs in eFa 4
Post Reply
nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

SPF of DMARC problem

Post by nicola.piazzi » 17 Feb 2021 16:11

I posted about a dmarc problem and i think to found a real bug in opendmarc

Opendmarc reads opendkim results from header and initially i have not verified it, If i dont make a verify, opendkim can only use spf results to validate, but in header i have no spf results

So i put SPFSelfValidate true In opendkim directives to instruct opendkim to do spf check itself
But i found a lot of messages that have spf pass into spamassassin check and fail in opendkim spf check

Analizyng those messages it seems that SPFSelfValidate true make a spf verification that fail when they have to resolve INCLUDES into txt record,

This is an example :

Received: from mailX12.eud.schneider-electric.com (mailx12.eud.schneider-electric.com [159.215.248.166])
Authentication-Results: EFA42.gruppocomet.it; dmarc=fail (p=quarantine dis=none) header.from=it.schneider-electric.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=IT-NO-BO-AreaAmministrativa@it.schneider-electric.com
-0.15 SPF_PASS SPF: sender matches SPF record
"v=spf1 include:it.schneider-electric.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2050.outbound.protection.outlook.com [40.107.244.50])
Authentication-Results: EFA42.gruppocomet.it; dmarc=pass (p=reject dis=none) header.from=ra.rockwell.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=PPrymas@ra.rockwell.com
-0.15 SPF_PASS SPF: sender matches SPF record
v=spf1 include:ra.rockwell.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:_netblocks.eloqua.com include:spf.messagelabs.com include:spf.protection.outlook.com -all


Probably we need to resolve bug in opendkim spf test OR better we need to add spf test that put results into header, mailscanner can do this or it runs after dmarc ?
Better can be done by postfix

i suggest to put latest opendkim in next efa install

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: SPF of DMARC problem

Post by nicola.piazzi » 17 Feb 2021 17:32

another solution can be to make postfix generate header with spf check

dnf install pypolicyd-spf
but install fails :
file /usr/bin/spfquery from install of python3-pyspf-2.0.14-8.el8.noarch conflicts with file from package perl-Mail-SPF-Query-1.999.1-1.eFa.el8.noarch

User avatar
shawniverson
Posts: 3398
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: SPF of DMARC problem

Post by shawniverson » 17 Feb 2021 20:49

I can probably make a package for eFa of pypolicyd-spf for everyone.

Long story short perl-Mail-SPF-Query was needed in eFa because the stock perl-Mail-SPF for whatever reason is missing this submodule. pypolicyd-spf probably has the same module bundled in it.

nicola.piazzi
Posts: 372
Joined: 23 Apr 2015 09:45

Re: SPF of DMARC problem

Post by nicola.piazzi » 18 Feb 2021 07:55

These are my DMARC spamassassin rules with a workaround for this problem
When dmarc pass i give a bonus
When dmarc fail i check spf that comes from spamassassin before give a real fail, if it pass i assume that it dont fail



header SA_DMARC_NONE Authentication-Results =~ /gruppocomet\.it.+dmarc=none/
describe SA_DMARC_NONE DMARC none
score SA_DMARC_NONE 0.10
header SA_DMARC_PASS Authentication-Results =~ /gruppocomet\.it.+dmarc=pass/
describe SA_DMARC_PASS DMARC check pass
score SA_DMARC_PASS -0.10
header __SA_DMARC_T_FAIL Authentication-Results =~ /gruppocomet\.it.+dmarc=fail/
header __SA_DMARC_D_QUARANTINE Authentication-Results =~ /gruppocomet\.it.+p=quarantine/
header __SA_DMARC_D_REJECT Authentication-Results =~ /gruppocomet\.it.+p=reject/
meta SA_DMARC_PASS_QUARANTINE ( SA_DMARC_PASS && __SA_DMARC_D_QUARANTINE )
describe SA_DMARC_PASS_QUARANTINE DMARC check pass, sender want Quarantine
score SA_DMARC_PASS_QUARANTINE -0.30
meta SA_DMARC_PASS_REJECT ( SA_DMARC_PASS && __SA_DMARC_D_REJECT )
describe SA_DMARC_PASS_REJECT DMARC check pass, sender want Reject
score SA_DMARC_PASS_REJECT -0.60
# Sometimes dmarc fails cacause it have a bug that desnt recognize particular spf with includes
# so we check also that there is not an spf pass by spamassassin to give a real fail
meta SA_DMARC_FAIL ( __SA_DMARC_T_FAIL && ! SPF_PASS )
describe SA_DMARC_FAIL DMARC check fail (with spamassassin Spf not pass)
score SA_DMARC_FAIL 0.20
meta SA_DMARC_FAIL_QUARANTINE ( SA_DMARC_FAIL && __SA_DMARC_D_QUARANTINE )
describe SA_DMARC_FAIL_QUARANTINE DMARC check failed, sender want Quarantine
score SA_DMARC_FAIL_QUARANTINE 0.50
meta SA_DMARC_FAIL_REJECT ( SA_DMARC_FAIL && __SA_DMARC_D_REJECT )
describe SA_DMARC_FAIL_REJECT DMARC check failed, sender want Reject
score SA_DMARC_FAIL_REJECT 1.00

Post Reply