Hi there lovely gentlepeople, For years now i've been running with a custom Exim binary that has SPF, DKIM and DMARC support compiled in. I actually reject messages based on failing SPF + failing DKIM /and/ a DMARC policy that states 'reject'. This has worked fine for years. Other than the occasional broken DNS for domains: no issue.
Up until recently, when a corner case was found: it *seems* like Exim's DMARC code(?) deduces the wrong dmarc_domain for certain messages and this seems related to a Resent-From: header. As far as i know, DMARC-checks should *only* consider the 'From:'-header domain during policy checking. Perhaps the search for "From:" is too broad and also finds the Resent-From: instead of /^From:\s/? I don't know yet. These lines trigger a log message of the DMARC check with -d+all: | acl_check_data: | warn | dmarc_status = accept : none : off ## Example 1 Given these (relevant?) headers from the message: | Return-path: <owner-test2+ssmeenk=freshdot....@simplelists.com> | Resent-From: <annou...@nl-ix.net> | Sender: te...@simplelists.com | From: "user at somedomain (via test2 list)" <te...@simplelists.com> Results in these logs: | processing "warn" (./e4-test.conf 432) | check dmarc_status = accept : none : off | ╭considering: $sender_address_domain | ├──expanding: $sender_address_domain | ╰─────result: simplelists.com | ╰──(tainted) | DMARC using SPF sender domain = simplelists.com | DMARC adding DKIM sender domain = simplelists.com | DMARC adding DKIM sender domain = kpn1615564.onmicrosoft.com | DNS lookup of _dmarc.nl-ix.net (TXT) succeeded | DMARC record found for nl-ix.net | LOG: MAIN | DMARC results: spf_domain=simplelists.com dmarc_domain=nl-ix.net spf_align=no dkim_align=no enforcement='Reject' Where did that 'dmarc_domain=nl-ix.net' come from? ## Example 2 Since nl-ix.net as a domain appears in loads of other places in this message i substituted it by my personal domain in just the Resent-From header. So, same message, headers have Resent-From changed to 'ssme...@freshdot.net': | Return-path: <owner-test2+ssmeenk=freshdot....@simplelists.com> | Resent-From: <ssme...@freshdot.net> | Sender: te...@simplelists.com | From: "user at somedomain (via test2 list)" <te...@simplelists.com> Results in this log message: | processing "warn" (./e4-test.conf 432) | check dmarc_status = accept : none : off | ╭considering: $sender_address_domain | ├──expanding: $sender_address_domain | ╰─────result: simplelists.com | ╰──(tainted) | DMARC using SPF sender domain = simplelists.com | DMARC adding DKIM sender domain = simplelists.com | DMARC adding DKIM sender domain = kpn1615564.onmicrosoft.com | DNS lookup of _dmarc.freshdot.net (TXT) succeeded | DMARC record found for freshdot.net | LOG: MAIN | DMARC results: spf_domain=simplelists.com dmarc_domain=freshdot.net spf_align=no dkim_align=no enforcement='Reject' Now it shows dmarc_domain=freshdot.net. Weird, 'eh? Should still be 'dmarc_domain=simplelists.com' IMO. ## Example 3 Strangely enough, when i remove the Resent-From header entirely, with this specific test message, the DMARC code logs 'no From: header'??? | Return-path: <owner-test2+ssmeenk=freshdot....@simplelists.com> | Sender: te...@simplelists.com | From: "user at somedomain (via test2 list)" <te...@simplelists.com> | 15:55:37 25276 processing "warn" (./e4-test.conf 432) | 15:55:37 25276 check dmarc_status = accept : none : off | 15:55:37 25276 DMARC: no From: header | 15:55:37 25276 none in "accept : none : off"? yes (matched "none") But there really is a 'From:'-header in the message! When i have a more clear and privacy-friendly example to share, i will. Any input is welcome for now! Thanks in bundles! -Sander. -- | Schrödingers cat walks into a bar and doesn't. | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
