Why is the opendmarc failing pretty much everything that comes through

dkimdmarcpostfixspf

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:

example.com.                    600 IN  MX  1 mail.morpheu5.net.
example.com.                    600 IN  TXT "v=spf1 a mx -all"
_dmarc.example.com.         600 IN  TXT "v=DMARC1; p=none; rua=mailto:postmaster@example.com; ruf=mailto:postmaster@example.com; sp=none; ri=86400"
mail._domainkey.example.com.    600 IN  TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSYXmE/aXew9wcS9dCZFYrPetCRC9rW3vVYRQo980JbC6pXbAkqnUd7ncWkUaQZgF2HKzrspUMklRN35rB1b9iHX3dHnf/gvxSURZPYcKT1DenFt+Vhplv2IuWCNWRSqTuXTXlVOnf+TwWLZayKNq62mCqU09sasP9kHXO5lyIbwIDAQAB"

mail.morpheu5.net is the local host/domain/thing for my postfix, and I'm managing example.com as a virtual domain. I'm running OpenDKIM and OpenDMARC as milters — SpamAssassin too, but that's working alright.

OpenDKIM is working fine, all the messages get signed correctly and Gmail even shows the little "Signed by: example.com" and confirmation of standard encryption (TLS). In fact, if I inspect the original message, in Gmail, I get the following:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@example.com header.s=mail header.b=pixIC2KM;
       spf=pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) smtp.mailfrom=xxxxx@example.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <xxxxx@example.com>
Received: from mail.morpheu5.net (mail.morpheu5.net. [79.137.83.28])
        by mx.google.com with ESMTPS id p67-v6si2567899wmd.147.2018.10.31.08.01.43
        for <xxxxx@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 31 Oct 2018 08:01:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) client-ip=79.137.83.28;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@example.com header.s=mail header.b=pixIC2KM;
       spf=pass (google.com: domain of xxxxx@example.com designates 79.137.83.28 as permitted sender) smtp.mailfrom=xxxxx@example.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com

which, if I read it correctly, tells me that

  • my SPF policy is OK (example.com designates mail.morpheu5.net as permitted sender),
  • my DKIM signature is valid (sign that OpenDKIM is working fine), and
  • my DMARC record is valid and the two previous checks passed.

Further down, if I inspect the headers generated by my own MTA, I see the following

DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 8E8CE100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540998102; bh=j1p26NHBiJxaCqvB8/JaswqiQuHCsG+QNIkoIUc8B+0=; h=From:Subject:Date:To:From; b=pixIC2KMsLYpq4KQn4gRIJ4wr3Tle+Iaq08lSVdIz82nrKDybFhOivpIrmtpKSXND
     rS4MPn7aNRV2D2KJPqG6Ru2tFAJEaBviC/7BNs2x3mIGlIxv5OzvD2EIvrJSJ8FA9U
     1Uf9YTdWgSF4FdytLD21Jus6dYt4evDc3ZZujvIU=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 8E8CE100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
                                           ^^^^^^^^^^- WHAT?!

That in itself is confusing, because it seems that OpenDMARC is running even for outgoing mail (remember, I sent this message from xxxxx@example.com to xxxxx@gmail.com). This however could be because of how I'm running the milter. This is the relevant bit in postfix's main.cf:

smtpd_milters =     inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
                    ^- SpamAssassin                  ^- OpenDMARC        ^- OpenDKIM

I'm open to suggestions on this.

What is really driving me insane, though, is that OpenDMARC is failing pretty much everything that comes in through the door. This is a message I sent from another domain (that I have set up in a similar way to example.com)

Return-Path: <xxxxx@example.com>
Delivered-To: yyyyy@unijobs.it
Received: from mail.morpheu5.net ([172.18.0.14])
    by 6c01c2ccb641 with LMTP
    id t10hEf7J2Vu3BQAAl2tFQA
    (envelope-from <xxxxx@example.com>)
    for <yyyyy@unijobs.it>; Wed, 31 Oct 2018 15:27:58 +0000
Received: from porto.home (host109-154-219-15.range109-154.btcentralplus.com [109.154.219.15])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.morpheu5.net (Postfix) with ESMTPSA id E0A22100B2EB
    for <yyyyy@unijobs.it>; Wed, 31 Oct 2018 15:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net E0A22100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=mail; t=1540999678;
    bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    h=From:Subject:Date:To:From;
    b=ulFaGLYp8hoosllX0rs+byXALUScldP5Of4Sf9/GxuuEqkz5VpCwPHib0TCXQNyqG
     yGqzlgBUoKB2SB0vRqbDW6vb+1UyG971DVeC0WfuRvoe7lKFLFmzD+V25rht/83TKv
     GFhIX2JMMobnw+wS++/6rS/l93/NLlTysiKECSfo=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net E0A22100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
From: "example.com" <xxxxx@example.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: 
Message-Id: <D3CC846F-19E8-4554-9990-1753D4E738E3@example.com>
Date: Wed, 31 Oct 2018 15:27:57 +0000
To: yyyyy@unijobs.it

They are both served by the same postfix install, so draw your own conclusions. The only thing I see in the logs is a very laconic

Oct 31 15:27:58 bd85f6a3b2b6 opendmarc[20]: E0A22100B2EB: example.com fail

So I figured I must have screwed up something while delivering the message. I then sent one from my gmail.com address and lo and behold

Return-Path: <zzzzz@gmail.com>
Delivered-To: xxxxx@example.com
Received: from mail.morpheu5.net ([172.18.0.14])
    by 6c01c2ccb641 with LMTP
    id 3P0+CTjL2Vu7BQAAl2tFQA
    (envelope-from <zzzzz@gmail.com>)
    for <xxxxx@example.com>; Wed, 31 Oct 2018 15:33:12 +0000
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mail.morpheu5.net (Postfix) with ESMTPS id 63728100B2EB
    for <xxxxx@example.com>; Wed, 31 Oct 2018 15:33:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net;
    dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Yrnjbum2"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=gmail.com
Received: by mail-lf1-f51.google.com with SMTP id p86so9773378lfg.5
        for <xxxxx@example.com>; Wed, 31 Oct 2018 08:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
        b=Yrnjbum25r6EczXzozeQERktfI7380FH3ETaRQ574kjKWdI+gtL337nVsPH34hnkyy
         YZ3XuVBCyKpz2ulXqF6G9ipsk9Hh6cK6P/BGNO9fs1WRrz9U8BImKhiqJBTdv4J+K4Rq
         grpn4buL1q3lRqunfJzSPaTww0DnYPWR89ICeMiyIYGbNYA4uTBQhQm0GUQRMJz6J1Bm
         4FGL9dL2/sgexlOGga3AeP1dHyPoLag9FN2Vbr/nJThqml8BcC4kPdVb1iH4FZoNaTSh
         s4CeTREvW6XLEAVgSz5Q3DgFLR0V4iCuqYxKkkHDYNi1If/agXkbRBigRP6+HUsTw7mM
         8O7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
        b=MPBwgFcsvJZ9gZbD0n0kfYMKpaHDQ3SkU30o5qVqs9Zwaqu3bTubSDkB+HCHsq8P8A
         6BZN3WARiL9zi9sdxKmvHYBvrf043htR1/jFEr6+1Wr5eO2ULZmKIxdKl609YffDmzM8
         vXXNzIw8pNYvEcaKUW04APzyEG5iEA9B5hrik4ivD9EWC0LHGuVf5jZuFT0LsKuWwydP
         n30LqX6Wra8XjSnbejgeD/m53xDWQpYckArRm6VA7+XqH1W7xnKgxc4MBmeX7gqYQrvV
         nmXMJyJAVtjiW9PXKDIE0SpP9XXryLn3FsguDCCwb46FS3rLJWW7i9SYSDKDb4N6iY3r
         NXUA==
X-Gm-Message-State: AGRZ1gIHySs3xex2WNMp2GByh7QqSOszi85+983Juw7ZJnOEDB28/jma
    iM0XrZTH6QjHeJajn8Zxx3UmFTkgAJ1MdBldxKeKiQ==
X-Google-Smtp-Source: AJdET5dvhrIXWjNNjZ2g5C7dSnHwXF95xuK/26l2o3C8fhT2r034Pos5Z776NyKi6JQvIAXpGCEkKe/WjOMaWWllzCM=
X-Received: by 2002:a19:13cc:: with SMTP id 73mr1902315lft.79.1540999989833;
 Wed, 31 Oct 2018 08:33:09 -0700 (PDT)
MIME-Version: 1.0
From: Andrea Franceschini <zzzzz@gmail.com>
Date: Wed, 31 Oct 2018 15:32:32 +0000
Message-ID: <CACY09wpao6XSxkjzNXytTJ3Z3SCrpnhQkUjoWHJzYd8sS23jmA@mail.gmail.com>
Subject: 
To: xxxxx@example.com
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU,DNS_FROM_AHBL_RHSBL,FREEMAIL_FROM,UNPARSEABLE_RELAY,
    URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b

and this is what shows up in the logs

Oct 31 15:33:12 bd85f6a3b2b6 opendmarc[20]: 63728100B2EB: gmail.com fail

Please also note that SpamAssassin computed a bunch of DKIM scores for this message, while this did not happen before, so… time for more config files!

OpenDKIM to begin with

PidFile             /var/run/opendkim/opendkim.pid
Mode                sv
Syslog              yes
SyslogSuccess       yes
LogWhy              yes
UserID              opendkim:opendkim
Socket              inet:8891@localhost
Umask               002
SendReports         yes
SoftwareHeader      yes
Canonicalization    relaxed/relaxed
Selector            default
MinimumKeyBits      1024
KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
OversignHeaders     From
QueryCache          yes
AutoRestart         Yes

KeyTable seems OK to me

mail._domainkey.unijobs.it unijobs.it:mail:/etc/opendkim/keys/unijobs.it/dkim-private.pem
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/dkim-private.pem

I also have wildcard signing

*@unijobs.it mail._domainkey.unijobs.it
*@example.com mail._domainkey.example.com

and these as trusted hosts

127.0.0.1
::1
172.17.0.0/16
172.18.0.0/16

OpenDMARC is configured like this

AuthservID      mail.morpheu5.net
HistoryFile     /var/spool/opendmarc/opendmarc.dat
IgnoreHosts     /etc/opendmarc/ignore.hosts
RejectFailures  false
Socket          inet:8893@localhost
SoftwareHeader  true
Syslog          true
UMask           007
UserID          opendmarc:mail

With the following in ignore.hosts

localhost
172.17.0.0/16
172.18.0.0/16

So… why does OpenDMARC fails pretty much everything that comes through the door?

EDIT I ran opendmarc -t on one of these messages and the worst that happens is

opendmarc: mlfi_connect() returned SMFIS_ACCEPT

if I run it with the my custom config file, and

opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: message: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: message: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 3: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 8: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 13: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 14: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 15: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 16: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 34: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 35: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 37: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 38: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=none dis=none) header.from=example.com'
opendmarc: message: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

if I don't specify my custom config file (which is in a weird location because reasons).

EDIT Gmail now passes SPF, DKIM, and eventually opendmarc gives it a pass. Not sure what happened.

EDIT Follow-up: What is wrong with this e-mail which is failing SPF(mailfrom) and DMARC?

Best Answer

I also had this issue recently. In my case I managed to resolve it by adding the following to /etc/opendmarc.conf:

IgnoreAuthenticatedClients true

man opendmarc.conf has this to say about it:

IgnoreAuthenticatedClients (Boolean)
   If set, causes mail from authenticated clients (i.e., those that used SMTP AUTH) to be
   ignored by the filter.  The  default  is "false".

which is exactly what I wanted. I only allow external connections to the SMTP via secure connections. Now opendmarc leaves my outgoing email alone.

Related Topic