On 2022-05-10 20:39, Matus UHLAR - fantomas wrote:
On Monday, May 9th, 2022 at 20:35, Alex <mysqlstud...@gmail.com>
wrote:
I'm trying to understand why this email from a bank fails DMARC when
mxlookup says the DMARC record is just fine.
https://pastebin.com/0T4Gjn3v
* 1.8 DMARC_REJECT DMARC reject policy
* 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message
* and the domain has a DMARC reject policy
It also passes SPF and DKIM
On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
Laurent S. <110ef9e3086d8405c2929e34be5b4...@protonmail.ch>
is rumored to have said:
As far as I understand, for DMARC to be valid, the enveloppe sender
address and the header From needs to have the same domain.
On 10.05.22 13:53, Bill Cole wrote:
Not so.
One of SPF (using the domain of the envelope sender) or DKIM (using
the domain of the signature) must validate AND the domain used in the
validation must match the domain of the author identified by the From
header.
correct, however:
From: nore...@ess.firstdata.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
t=1652117979;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
Authentication-Results: mail03.example.com (amavisd-new);
dkim=pass (1024-bit key) header.d=ess.firstdata.com
header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
header.b="dwNxlXrW"
so the mail looks to be DMARC valid, while SA produces:
* 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
message
* and the domain has a DMARC reject policy
dkim=pass (1024-bit key) header.d=amazonses.com
header.b="dwNxlXrW"
this does not pass, why do amazonses add dkim :(
when multiple dkim signers is added all must pass for dmarc pass, i
belive this is the kam fails ?
when amazonses drops dkim signing on forwared mails it begins to be
stable, what amazonses should do here is to arc seal and arc sign, but
this must be done before breaking dkim when forwarding
we still wait for spamassassin 4.0.0
note to pmc members is that dmarc plugin do work with spamassassin
3.4.6, super, i can provide dmarc rule to public so askdns is not used
for dmarc rules anymore when dmarc plugin is loaded, i belive pmc
members can do this if version ... aswell :)
