Re: SPF/DMARC modified by host en route

Tue, 27 Apr 2021 11:41:42 -0700 

On 27/04/2021 19:33, Bill Cole wrote:
[TBird goofy URL-ification of everything left intact because I'm too lazy to fix someone else's MUA garbage] 

Yes, sorry.  For some purposes it would be better that I use mutt.
For work (where I am now), compatibility
with others leaves me using thunderbird most of the time.
Life is full of compromises...

Thanks for the line-by-line interpretation.  Given the above,
I'll ask a couple questions here:

    * yes, 1&1 is being annoying, I don't think I can change them...
    * Your p27.eu remark is likely the key

So you note "This perfectly valid signature is useless for DMARC unless the

From header address is in p27.eu."   And, indeed, nantes-m1.p27.eu is 
MX for

p27.eu and for mobilitains.fr.  I'd understood that DKIM/DMARC should match
the MX hosts name, but it appears I've misunderstood.  It sounds like you're
suggesting I should set up separate DKIM signing for mobilitains.fr.
(I think I said that poorly.)

I'll go back and read the docs again in the morning.

Many thanks, though, for pointing to that anomaly.

Jeff / p27.eu



On 26 Apr 2021, at 9:13, Jeff Abrahamson wrote:


    ARC-Authentication-Results: i=1; 
[mx.google.com](<http://mx.google.com>);
           dkim=pass header.i=@[p27.eu](<http://p27.eu>) 
header.s=mail header.b=mQXXt3xe;


Google confirms that there's a good DKIM signature by/for p27.eu.


           spf=neutral ([google.com](<http://google.com>): 
217.72.192.73 is neither permitted nor denied by best guess record 
for domain of 
[bonj...@simonpapon.com](<mailto:bonj...@simonpapon.com>)) 
smtp.mailfrom=[bonj...@simonpapon.com](<mailto:bonj...@simonpapon.com>);



Kinky. 1&1 seems to be replacing the original envelope sender with the 
intermediate address. That should be fun for bounces... In any case, 
SPF fails to verify because that domain has no SPF record.



           dmarc=fail (p=NONE sp=NONE dis=NONE) 
header.from=[mobilitains.fr](<http://mobilitains.fr>)



Google is expecting DMARC alignment with mobilitains.fr, the domain in 
the From header. That is the ONLY way DMARC can succeed because the 
forwarding breaks SPF, as it would always be expected to do even if 
they didn't rewrite the envelope sender. There is no alignment, so 
DMARC fails.


[...]

    Received-SPF: neutral ([google.com](<http://google.com>): 
217.72.192.73 is neither permitted nor denied by best guess record 
for domain of 
[bonj...@simonpapon.com](<mailto:bonj...@simonpapon.com>)) 
client-ip=217.72.192.73;

    Authentication-Results: [mx.google.com](<http://mx.google.com>);

           dkim=pass header.i=@[p27.eu](<http://p27.eu>) 
header.s=mail header.b=mQXXt3xe;
           spf=neutral ([google.com](<http://google.com>): 
217.72.192.73 is neither permitted nor denied by best guess record 
for domain of 
[bonj...@simonpapon.com](<mailto:bonj...@simonpapon.com>)) 
smtp.mailfrom=[bonj...@simonpapon.com](<mailto:bonj...@simonpapon.com>);
           dmarc=fail (p=NONE sp=NONE dis=NONE) 
header.from=[mobilitains.fr](<http://mobilitains.fr>)


The same thing in the form of a Received-SPF header


    Received: from [217.72.192.67] ([217.72.192.67]) by 
[mx.kundenserver.de](<http://mx.kundenserver.de>) (mxeue110 
[217.72.192.67]) with ESMTPS (Nemesis) id 1Mkoav-1lvFYR407T-00mIMK 
for <[simon....@gmail.com](<mailto:simon....@gmail.com>)>; Wed, 21 
Apr 2021 12:28:05 +0200
    Received: from [nantes-m1.p27.eu](<http://nantes-m1.p27.eu>) 
([172.105.247.37]) by 
[mx.kundenserver.de](<http://mx.kundenserver.de>) (mxeue110 
[217.72.192.67]) with ESMTPS (Nemesis) id 1MJU9W-1lFHn23zxY-00JsAh 
for <[bonj...@simonpapon.com](<mailto:bonj...@simonpapon.com>)>; Wed, 
21 Apr 2021 12:28:04 +0200
    Received: from [192.168.1.35] 
([176-139-184-203.abo.bbox.fr](<http://176-139-184-203.abo.bbox.fr>) 
[176.139.184.203]) (using TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a 
certificate) (Authenticated sender: 
[gae...@mobilitains.fr](<mailto:gae...@mobilitains.fr>)) by 
[nantes-m1.p27.eu](<http://nantes-m1.p27.eu>) (Postfix) with ESMTPSA 
id 37F1AA148D; Wed, 21 Apr 2021 10:28:04 +0000 (UTC)



So apparently the reason DMARC works when sending straight to GMail is 
that the smtp.mailfrom and header.from align at mobilitains.fr, so SPF 
achieves DMARC alignment (using Google's 'best guess' tactic, as 
nantes-m1.p27.eu is an MX) where DKIM does not.




    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; 
d=[p27.eu](<http://p27.eu>); s=mail; t=1619000884; 
bh=cgbJn61eT58DYGGnJ+KiFz0hVfhG2B9PPsSj7PWJcmA=; 
h=Date:Subject:From:To:CC; 
b=mQXXt3xeT5/lLgnrBRhKpGn4BspBQv7xH7azTepVckHOKDtSm+wjPJHYp9zJ/XCMo

VKwY2/nVojhyZZN1jlO9X81++485rqxuTxPZMlUKtFxcUhIML1cA2cd8gOdtRsZiVt
7F9YswqymNrUkNx6YBX8/EigYj71MjeFidOYSVOcLD2XgHZCfh6Y9XaADu8ISBJlRo
n8APKzaDP2YOwdxNOTve7NH2N7/LDgVJIWEeEj9HTaJeztkx+fVnmpx+xlAK0NoTQ0
STgz5ZQozL6y80RXW9fF2p4K9MwxffordnEgQLGuFWtIujwg8abIM+WjM+C1vnflYh
             CcxvkmEFozsAw==



This perfectly valid signature is useless for DMARC unless the From 
header address is in p27.eu.






--
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255
https://www.p27.eu/jeff/
https://www.mobilitains.fr/























					Reply via email to