Amavis and OpenDMARC

Scott Kitterman amavis at kitterman.com
Tue Nov 28 01:42:06 CET 2023 


On November 28, 2023 12:36:11 AM UTC, Noel Butler <noel.butler at ausics.net> wrote:
>On 21/11/2023 20:08, Matus UHLAR - fantomas wrote:
>
>> On 21.11.23 12:06, Noel Butler wrote:
>> 
>>> This also depends on how you set DKIM's canonicalization
>> 
>> this is a (known) problem of DKIM and playing with DMARC will not solve it.
>> 
>>> Anyone using simple/simple should have a DKIM fail and plenty use that setting, prior to July this year - when I was using this address on file with Federal Law Enforcement agencies for receiving shall we say certain formal requests ;) I used fully strict with simple/simple - as earlier posts on this list would show
>> 
>> I agree that DKIM designers messed this up quite much.
>> But again, we are here talking about DMARC.
>
>But they are inter-twined, DMARC just does what DKIM and SPF declare, so any perceived DMARC issues *do* include DKIM and SPF
>
>> I believe the issue lies in bad formulation of condition for fo:
>
>> The problem I see is that with "fo=1" it should be reported, even if everything is okay.
>
>Well, if there is a pass and a failure not "everything" is OK.
>Of all DMARC notices I've had its because DKIM failed, and thankfully for me at least all of them are list based, its when I start seeing them for non list posts that I'll sit up and take notice.
>
>> Perhaps RFC 7489 needs clarification of what exactly needs to be reported and what not.
>
>7489  makes fo=1|s|d clear, perhaps fo=0 could be worded differently, most of us, or perhaps just many of us,  understand 0 means only if everything fails then send a report because thats how I see it and how it seemed to work when first ran DMARC until I moved fo=1 because I want to get failure reports - remember, not all failure reports go to humans ;)
>
>Generally people who halve some idea of what they are doing don't bother with RFC's, perhaps the problem is with the software documentation as that's what they tend to go for.
>
An IETF revision to RFC 7489 is pretty far advanced.  Anyone can contribute to the work if you think it needs improvement:

https://datatracker.ietf.org/wg/dmarc/documents/

Scott K

More information about the amavis-users mailing list