Re: dmarc=fail: sendmail, spf, dkim and opendmarc

On 12.11.2024 um 21:58 Uhr Wolfgang Agnes wrote:

Marco Moock <mm+usenet-es@dorfdsl.de> writes:
 

On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:
 

This is long because I had LogLevel=15.  You'll see below that
opendmarc adds the authentication-results header with a failure,
but the spf and dkim headers appear to be correct.  I show these
two relevant log lines first and then I show the entire set of log
lines in case it's useful. 

>
If you send outgoing mail, neither SPF nor DMARC must be checked
because they fail by design in this situation. 

 
Can you elaborate?

The SPF record of a domain includes IP addresses of the outgoing mail
servers. Your users have other IP addresses from anywhere in the world.
They use authentication to proof their identity. Maybe there are
milters to map such an identity to an email address, so address forging
can be prevented.

SPF doesn't work for that.

DMARC needs DKIM and SPF to work and is intended for incoming mail. As
there is no Authentication-Results SPF header when mail is being
submitted, DMARC makes no sense here. If there is already a DKIM
signature, it could verify the policy, but that makes no sense in that
situation.
 

You need to configure the dmarc milter not to check if the mail is
being submitted from your clients (e.g. because they use auth or
come from your own IP ranges).
Sadly, I cannot tell you how to configure it to do that, I had the
same problem and I am currently not using any SPF nor dmarc
milters. 

 
Thanks!  We've got IgnoreAuthenticatedClients, which eliminates ``the
problem''.  With this option enabled, OpenDMARC now only says it
acccepts the message---no questions asked.

Thanks!
I was searching for that and didn't find it.



--
kind regards
Marco

Send spam to 1731445095muell@cartoonies.org