Postfix: Managing Subdomain DMARC, DKIM, and SPF when bounce emails come from the null sender ““

I have several postfix servers that send mail on behalf of my domain (example.com). When a from address is provided, DKIM and SPF pass properly. However, I noticed in my DMARC notifications there are a number of failing emails being send from my postfix servers.

Each postfix server maps to a subdomain in our DNS (smtp1.example.com, smtp2.example.com). Reverse lookups are configured at AWS for the sending IP.

When an email bounces, postfix sends the non-delivery notification email to the sender, but it comes from the null sender. These messages seem to fail DKIM AND sometimes SPF because they are sent from MAILER-DAEMON@smtp1.example.com and not MAILER-DAEMON@example.com.

What is the best way to go about managing this? Should I be creating DKIM AND SPF records for each subdomain? Is there a way to customize the mailer-daemon sender in postfix to have it sent from the domain and not the subdomain?

UPDATE:

I figured out that in "/etc/postfix/main.cf" I need to change the $mydomain variable to example.com and set $myorigin to use $mydomain, but DKIM isn't being attached. I use OpenDKIM to apply DKIM to each outgoing mail, but because postfix uses from=<> instead of mailer-daemon@example.com it seems to skip it, though I'm not sure that is the reason.

UPDATE:

I was able to get DKIM to be sent for bounced emails by adding "internal_mail_filter_classes = bounce" to "/etc/postfix/main.cf" as per:

http://www.postfix.org/MILTER_README.html

I am still wondering if this is the best way to go about accomplishing my goal.

UPDATE:

Bounced emails are sent from MAILER-DAEMON@example.com, but the recipient sees the email as sent from smtp1.example.com and signed by example.com. This requires I have another spf record configured for smtp1.example.com and I would prefer not to need this. Bounces should appear as sent by the root domain.

How do I accomplish this?

UPDATE:

Adding email headers and output of postconf -n. I have obfuscated the IP addresses and domain name only. The email was received by a gmail managed domain.

Email Headers

Delivered-To: customerservice@example.com
Received: by 2002:a2e:45d5:0:0:0:0:0 with SMTP id s204-v6csp753516lja;
        Wed, 26 Sep 2018 10:59:51 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62LaRKlAeJoVcCqIQRgHXwen7bLAev7n/gyBtIF7yWMLpmgBaL1q8D3Qm0zEMcDjPEmCjCz
X-Received: by 2002:a0c:a9d2:: with SMTP id c18-v6mr54933qvb.191.1537984791474;
        Wed, 26 Sep 2018 10:59:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1537984791; cv=none;
        d=google.com; s=arc-20160816;
        b=0LNTMB+qiHPz1eHGcLyPLE1FcSmW30xptS1xcbd9Vmy1Wdx3/tg96AUrAeuoDSznHE
         b96zAG+sJHLASokmbete92FHI1G8rD8PgjH/IUCJ48Tl6fBZwkdKU7AGYAJ/2TTCBAuV
         V5qcBCIuomDpUVXLeDNYSpTPEpAtaUrm+l5S3wIkZXlyzTsEL9utiVdoKTmYNcyXzM53
         afDdaokbJdrmm6h904P49QEgm1/76LVyjh3QvpzVmVkmz7bsRleBypROkS4GERE0UD87
         ZVEKMlCkVw8y2lUJwx8OvYTIALGHLsrjHk3cICv8uCsCQleDeMK+Y7mxJ4og8isdmEJm
         aNTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=message-id:mime-version:auto-submitted:to:subject:from:date
         :dkim-signature;
        bh=/kHg6GHVOA4im8+tNe6f5EdTttqwbtTK3EvxVBpLPe0=;
        b=VNuEQyKlo1YCgSBznYzBqNzJzJHaTqIxYzzEOhVfWH7KP4IdBvSQ5nwbigujfhq+a1
         ch04W6nNbOaeTvC6hRdztL+Qw+lria0hOIx6eo3Hc8swQseAv6+iKh8hwbL4DM1tr84l
         wDmcPy808/tamGIBHacA1vhe7LU1ZWhaFmBcynllMaLXJDxDsJuZc2pAfQe3cu+1da0h
         twdEY+fYo8tVlVC/A0fb6iedP57tYygfg1LMSZhOxqwWiFDuNsOOn2Px0geyYcHWiyTj
         uZEtS4L1nfYr2J2tbeZsHMzrjPkM4etZMK52duSiNpMZnV0CN4dioHQcSskrik8Jgnmh
         Ki/g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@example.com header.s=example header.b="Kh/wMFFv";
       spf=pass (google.com: domain of postmaster@smtp1.example.com designates <IP-Address> as permitted sender) smtp.helo=smtp1.example.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <>
Received: from smtp1.example.com (smtp1.example.com. [<IP-Address>])
        by mx.google.com with ESMTPS id 144-v6si4528390qkh.294.2018.09.26.10.59.51
        for <customerservice@example.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 26 Sep 2018 10:59:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@smtp1.example.com designates <IP-Address> as permitted sender) client-ip=<IP-Address>;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@example.com header.s=example header.b="Kh/wMFFv";
       spf=pass (google.com: domain of postmaster@smtp1.example.com designates <IP-Address> as permitted sender) smtp.helo=smtp1.example.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Received: by smtp1.example.com (Postfix) id 1CEE260DBC; Wed, 26 Sep 2018 17:59:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=example; t=1537984791; bh=DalucSR/izsrTI/4cwdDwKrGi8R0OywUerOF7byykLI=; h=Date:From:Subject:To; b=Kh/wMFFvEE/uPx/7qKnYVZZACU6zzLl9S+Jwr1hXSBhIg0mfkqpVXgxvhUxqNkJXw
     xIPvmuJU9ERlA5RqT+xUC3y4kkxIbig6gBogUEFtOkbp1bNj+yWEKxcFpHJXEnDneP
     Na3dzhGZScaUK83sKEPMFkjubyiPR/6uoc5zcEVc=
Date: Wed, 26 Sep 2018 17:59:51 +0000 (UTC)
From: Mail Delivery System <MAILER-DAEMON@example.com>
Subject: Undelivered Mail Returned to Sender
To: customerservice@example.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="DF7BD600B7.1537984791/smtp1.example.com"
Message-Id: <20180926175951.1CEE260DBC@smtp1.example.com>

Output of postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_notice_recipient = mailer-daemon@example.com
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = localhost
inet_protocols = ipv4
internal_mail_filter_classes = bounce
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
milter_protocol = 2
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.com
myhostname = smtp1.example.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_milters = inet:127.0.0.1:8891

Best Answer

As Michael has mentioned, the empty Return-Path <> is recommended for NDR mails. As you've experienced, a lot of MTAs base the applying of DKIM signatures on this header. This had resulted in missing DKIM signatures which you've been able to resolve.

As SPF fallbacks to the HELO/EHLO domain if a Return-Path is missing, as stated in the spec:

http://www.openspf.org/svn/project/specs/rfc4408.txt

For example, if the reverse-path was null, then the EHLO/HELO domain is used, with its associated problems (see Section 2.1)

If your main question is to get DMARC alignment on these mails, you can suffice with making sure you apply DKIM on the NDR mails. In that situation you're not required to setup individual SPF records for the smtp subdomains. This is advised to prevent losing NDR mails for non-DMARC supporting receivers.

If you have a long list of SMTP servers you could also publish a wildcard SPF which allows your IP addresses specifically.

Does this help you?

Regards,

Michiel

DMARC Analyzer

Postfix: Managing Subdomain DMARC, DKIM, and SPF when bounce emails come from the null sender “<>“

Best Answer

Related Topic

Best Answer

Related Solutions

Yahoo flagging mail as spam when using relay server

SPF hardfail and DKIM failure when recipient has e-mail forwarding

Related Topic