This bug appears to have spawned out of the fix for #131 - It just so happens I was doing testing with a similar amazon email and stumbled upon this.
It is possible to pass the DMARC check for a DMARC protected domain using a maliciously crafted email, using multiple DKIM signatures, this is for libopendmarc only, because the opendmarc milter does not send non-passing signature results to the SDK.
To do this all you need to do is have one failing DKIM signature that matches the From: domain and one that passes for any domain following it.
Example:
opendmarc_policy_store_from_domain marketplace.amazon.de
opendmarc_policy_store_spf example.org PASS
opendmarc_policy_store_dkim amazon.de FAIL
opendmarc_policy_store_dkim example.org PASS
This will incorrectly result in a DMARC pass.
The root cause is that second call to opendmarc_policy_store_dkim doesn't match the exact match, nor a subdomain match and because the previous dkim_outcome stored isn't a pass it skips this, passing into the set_final label and sets the dkim_outcome result to be pass for the previously stored dkim_domain, in this case, amazon.de. Allowing it to pass validation.
As per the docs, opendmarc_policy_store_dkim states: "You may feed this function results from multiple DKIM signatures. This function will select the most successful check from among those that align with the header From: domain."
To fix this bug we are used attached patch.