Hi, I have been playing and learning DKIM myself lately. On quick glance I would say mail.example.com is not the same as example.com.
When you look up the DNS record it is set for both domains ? Also if on linux, did you setup opendkim conf file to check for mail from both example.com and mail.example.com ? This is in my main.cf. smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 6 Not sure I am any help but… -ALF -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG, Server Systems 860-486-9075 From: owner-postfix-us...@postfix.org<mailto:owner-postfix-us...@postfix.org> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Ian Evans Sent: Thursday, April 20, 2017 3:36 PM To: postfix-users@postfix.org<mailto:postfix-users@postfix.org> postfix <postfix-users@postfix.org<mailto:postfix-users@postfix.org>> Subject: dmarc fail on internal emails I apologize for cross-posting this here but a) the opendmarc list seems to be very low volume and I'm wondering if a reader on this busier list has come across this, b) not sure if the mechanism of internal emails and testing is different than if postfix is sending externally and c) clutching at straws here. Installed opendmarc last week in my postfix/amavis-new environment and all seemed to be working quite well. If I send a message from us...@example.com<mailto:us...@example.com> to a gmail address and check the headers, I get a pass on the dmarc check. If I send an internal email from us...@example.com<mailto:us...@example.com> to us...@example.com<mailto:us...@example.com>, I get a dmarc fail. Any idea where I should be checking first? Authentication-Results: amavis.local (amavisd-new); dkim=pass (1024-bit key) header.d=example.com<http://example.com> Received: from mail.example.com<http://mail.example.com> ([127.0.0.1]) by localhost (mail.example.com<http://mail.example.com> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ved6pUoj-cwl for <ianev...@example.com<mailto:ianev...@example.com>>; Thu, 20 Apr 2017 14:25:34 -0400 (EDT) Received: from [10.254.248.55] (unknown [69.42.191.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: feedb...@example.com<mailto:feedb...@example.com>) by mail.example.com<http://mail.example.com> (Postfix) with ESMTPSA id 0F56E2009D7 for <ianev...@example.com<mailto:ianev...@example.com>>; Thu, 20 Apr 2017 14:25:34 -0400 (EDT) DMARC-Filter: OpenDMARC Filter v1.2.0 mail.example.com<http://mail.example.com> 0F56E2009D7 Authentication-Results: mail.example.com<http://mail.example.com>; dmarc=fail header.from=example.com<http://example.com> postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix content_filter = smtp-amavis:[127.0.0.1]:10024 home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4 mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" mailbox_size_limit = 0 message_size_limit = 104857600 milter_default_action = accept milter_protocol = 6 myhostname = carson.example.com<http://carson.example.com> mynetworks = 127.0.0.0/8<http://127.0.0.0/8> [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname non_smtpd_milters = inet:localhost:12345,inet:localhost:54321 policy-spf_time_limit = 3600s readme_directory = no recipient_bcc_maps = hash:/etc/postfix/recipient_bcc recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = carson.example.com<http://carson.example.com> ESMTP $mail_name (Ubuntu) smtpd_milters = inet:localhost:12345,inet:localhost:54321 smtpd_recipient_restrictions = reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policy-spf,reject_rbl_client zen.spamhaus.org<http://zen.spamhaus.org>,reject_rbl_client bl.spamcop.net<http://bl.spamcop.net>,reject_rbl_client cbl.abuseat.org<http://cbl.abuseat.org>,check_policy_service inet:127.0.0.1:10023<http://127.0.0.1:10023> smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,defer_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/dovecot-auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/valid_senders, reject_unknown_sender_domain smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem<http://example.com/fullchain.pem> smtpd_tls_ciphers = high smtpd_tls_exclude_ciphers = EXPORT smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem<http://example.com/privkey.pem> smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport virtual_alias_maps = hash:/etc/postfix/virtual virtual_gid_maps = static:5000 virtual_mailbox_base = /home/vmail virtual_mailbox_domains = example.com<http://example.com> virtual_mailbox_limit = 0 virtual_mailbox_maps = hash:/etc/postfix/vmaps virtual_minimum_uid = 1000 virtual_transport = lmtp:unix:private/dovecot-lmtp virtual_uid_maps = static:5000 Thanks.
