#57 DMARC Authentication-results always fail in all outgoing emails
I use opendmarc as milter with postfix 2.9.6 in a debian wheezy machine. When sending email from the server, it always show the following header in all outgoing mails:
Authentication-Results: mail; dmarc=fail header.from=domain.com
While using opendmarc-check to check the DMARC record of domain.com, the result is:
DMARC record for domain.com:
Sample percentage: 100
DKIM alignment: relaxed
SPF alignment: relaxed
Domain policy: reject
Subdomain policy: unspecified
Aggregate report URIs:
mailto:postmaster@domain.com
Forensic report URIs:
(none)
My postfix main.cf is as follows: (8891 is for opendkim, 8893 is for opendmarc)
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891 inet:localhost:8893
non_smtpd_milters = inet:localhost:8891 inet:localhost:8893
and I am using postfix-policyd-spf-python also.
Please attach a sample message that fails, and your opendmarc.conf file.
I'm experiencing the same (that is outgoing mails are reported as dmarc failed on my outgoing mailserver).
Nov 09 19:40:22 [opendkim] E85627299EF: DKIM-Signature field added (s=mail.vlh.dk, d=vlh.dk)
Nov 09 19:40:22 [opendmarc] E85627299EF: vlh.dk fail
Nov 09 19:40:23 [postfix/qmgr] E85627299EF: from=kibs@vlh.dk, size=2670, nrcpt=1 (queue active)
It's marked as passed at the receiving end though (ie. google)
Received: from mail.vlh.dk (0607ds1-vo.3.fullrate.dk. [90.185.140.30])
by mx.google.com with ESMTP id h8si6258390lah.22.2013.11.09.11.54.24
for k.sindalsen@gmail.com;
Sat, 09 Nov 2013 11:54:24 -0800 (PST)
Received-SPF: pass (google.com: domain of kibs@vlh.dk designates 90.185.140.30 as permitted sender) client-ip=90.185.140.30;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of kibs@vlh.dk designates 90.185.140.30 as permitted sender) smtp.mail=kibs@vlh.dk;
dkim=pass header.i=@vlh.dk;
dmarc=pass (p=REJECT dis=NONE) header.from=vlh.dk
Incoming mail seems to get tested/flagged fine though:
Nov 09 17:22:42 [opendkim] A9F3F11F95: DKIM verification successful
Nov 09 17:22:42 [opendkim] A9F3F11F95: DKIM reputation: 0
Nov 09 17:22:42 [opendmarc] A9F3F11F95: dmarcanalyzer.com pass
Attached some files.
Looking at opendmarc.dat it seems that it's SPF that fails:
job 879E114782
reporter mail.vlh.dk
received 1384081003
ipaddr 2001:470:28:4a6:885a:5cf4:4738:abb
from vlh.dk
mfrom vlh.dk
spf -1
pdomain vlh.dk
policy 16
rua mailto:admin@vlh.dk
pct 100
adkim 114
aspf 114
p 114
sp 0
align_dkim 5
align_spf 5
action 2
Edit:
I changed my Postfix master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_milters=unix:/var/run/opendkim/opendkim.sock
It allows authenticated users to send on port 587 - and the mail is only processed through OpenDKIM to have signature added.
I don't think OpenDMARC should process outgoing mails?
Last edit: Kim Buchardt Sindalsen 2013-11-10
You should add your internal networks/hostnames/domains to the IgnoreHosts file. See opendmarc.conf(5) for more information.
Did that work? I'd like to close this out ASAP unless there's an outstanding problem.
It seems to be working for me - tried adding my local ip-ranges (ipv4 & ipv6) and it seems to leave my outgoing mail alone.
So works for me :)