Amavis and OpenDMARC

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Nov 21 11:08:22 CET 2023 

>On 16/11/2023 18:47, Matus UHLAR - fantomas wrote:
>>Keeping header From: and DKIM signatures is perfectly fine, if ML 
>>does not modify the mail, which afaik is the default setting.

On 21.11.23 12:06, Noel Butler wrote:
>This also depends on how you set DKIM's canonicalization

this is a (known) problem of DKIM and playing with DMARC will not solve it.

>Anyone using simple/simple should have a DKIM fail and plenty use that 
>setting, prior to July this year - when I was using this address on 
>file with Federal Law Enforcement agencies for receiving shall we say 
>certain formal requests ;) I used fully strict with simple/simple - as 
>earlier posts on this list would show

I agree that DKIM designers messed this up quite much.
But again, we are here talking about DMARC.

>>I believe the issue lies in bad formulation of condition for fo:
>>
>>1: Generate a DMARC failure report if any underlying
>>authentication mechanism produced something other than an
>>aligned "pass" result.

>I've never had an fo=1 SPF failure report, because DKIM would pass, 

Do you think the part of RFC as different meaning as I described?
Or do people/SW simply ignore the "fo=1" setting when DKIM passes and don't 
report unaligned SPF, thus ignore it?


>>...I understand this as SPF unaligned with header From: should be 
>>reported for domain in header From:.
>
>SPF should only check and report on envelope-sender/return-path, if 
>and only if that does not exist it should use the EHLO domain, it 
>should not care about From, last time I looked - a decade or so ago - 
>it never did, but lets try something...

"aligned" in the DMARC meaning that envelope from: and header from: is the 
same.  If it's not the same, it's called "unaligned".
Unaligned SPF is not important if the DKIM passes.

The problem I see is that with "fo=1" it should be reported, even if 
everything is okay.

>>It makes sense to report missing/unaligned DKIM.
>
>Then set fo=d  :)

with "fo=d" SPF failure is not to be reported, only invalid DKIM.

with "fo=s" SPF failure is to be reported, not DKIM 


with "fo=1" DKIM failure is reported, but also unaligned SPF pass.

Generally that means, that with "fo=1" not only failures, but even successes 
would be reported, if the SPF is not aligned.



Perhaps this could be avoided by using "fo=d; fo=s;" in DMARC record, which 
I'm not sure if correct (quick



Perhaps RFC 7489 needs clarification of what exactly needs to be reported 
and what not.



-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
You have the right to remain silent. Anything you say will be misquoted,
then used against you.

More information about the amavis-users mailing list