SPF of DMARC problem
Posted: 17 Feb 2021 16:11
I posted about a dmarc problem and i think to found a real bug in opendmarc
Opendmarc reads opendkim results from header and initially i have not verified it, If i dont make a verify, opendkim can only use spf results to validate, but in header i have no spf results
So i put SPFSelfValidate true In opendkim directives to instruct opendkim to do spf check itself
But i found a lot of messages that have spf pass into spamassassin check and fail in opendkim spf check
Analizyng those messages it seems that SPFSelfValidate true make a spf verification that fail when they have to resolve INCLUDES into txt record,
This is an example :
Received: from mailX12.eud.schneider-electric.com (mailx12.eud.schneider-electric.com [159.215.248.166])
Authentication-Results: EFA42.gruppocomet.it; dmarc=fail (p=quarantine dis=none) header.from=it.schneider-electric.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=IT-NO-BO-AreaAmministrativa@it.schneider-electric.com
-0.15 SPF_PASS SPF: sender matches SPF record
"v=spf1 include:it.schneider-electric.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2050.outbound.protection.outlook.com [40.107.244.50])
Authentication-Results: EFA42.gruppocomet.it; dmarc=pass (p=reject dis=none) header.from=ra.rockwell.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=PPrymas@ra.rockwell.com
-0.15 SPF_PASS SPF: sender matches SPF record
v=spf1 include:ra.rockwell.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:_netblocks.eloqua.com include:spf.messagelabs.com include:spf.protection.outlook.com -all
Probably we need to resolve bug in opendkim spf test OR better we need to add spf test that put results into header, mailscanner can do this or it runs after dmarc ?
Better can be done by postfix
i suggest to put latest opendkim in next efa install
Opendmarc reads opendkim results from header and initially i have not verified it, If i dont make a verify, opendkim can only use spf results to validate, but in header i have no spf results
So i put SPFSelfValidate true In opendkim directives to instruct opendkim to do spf check itself
But i found a lot of messages that have spf pass into spamassassin check and fail in opendkim spf check
Analizyng those messages it seems that SPFSelfValidate true make a spf verification that fail when they have to resolve INCLUDES into txt record,
This is an example :
Received: from mailX12.eud.schneider-electric.com (mailx12.eud.schneider-electric.com [159.215.248.166])
Authentication-Results: EFA42.gruppocomet.it; dmarc=fail (p=quarantine dis=none) header.from=it.schneider-electric.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=IT-NO-BO-AreaAmministrativa@it.schneider-electric.com
-0.15 SPF_PASS SPF: sender matches SPF record
"v=spf1 include:it.schneider-electric.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2050.outbound.protection.outlook.com [40.107.244.50])
Authentication-Results: EFA42.gruppocomet.it; dmarc=pass (p=reject dis=none) header.from=ra.rockwell.com
Authentication-Results: EFA42.gruppocomet.it; spf=fail smtp.mailfrom=PPrymas@ra.rockwell.com
-0.15 SPF_PASS SPF: sender matches SPF record
v=spf1 include:ra.rockwell.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:_netblocks.eloqua.com include:spf.messagelabs.com include:spf.protection.outlook.com -all
Probably we need to resolve bug in opendkim spf test OR better we need to add spf test that put results into header, mailscanner can do this or it runs after dmarc ?
Better can be done by postfix
i suggest to put latest opendkim in next efa install