I've been able to see my spf, dkim and opendmarc policy working with
SMTPs that are not my own. My problem has been with the filters on my
own system. Even though my SMTP seems to add the SPF header and the
DKIM headers, it seems that opendmarc on my system never seems satisfied
and so it seems to always fail every message I send out. I describe my
entire system further below, but I think I should begin with the
symptoms first. I appreciate any help on this. Thanks!

(*) A test message sent to a remote site

%swaks --to someone@remote.site --from me@antartida.xyz \
--auth CRAM-MD5 --auth-user me \
--header-X-Test "test email" \
--server antartida.xyz
Password: <secret>
=== Trying antartida.xyz:25...
=== Connected to antartida.xyz.
<- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
-> EHLO antartida.xyz
<- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
<- 250-ENHANCEDSTATUSCODES
<- 250-PIPELINING
<- 250-8BITMIME
<- 250-SIZE
<- 250-DSN
<- 250-ETRN
<- 250-AUTH DIGEST-MD5 CRAM-MD5
<- 250-STARTTLS
<- 250-DELIVERBY
<- 250 HELP
-> AUTH CRAM-MD5
<- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
-> ZGJhc3RvcyAyOGMzNzcyN2IzZWYxNDgzNDc1MzhmYTM4MjI1MjQyNQ==
<- 235 2.0.0 OK Authenticated
-> MAIL FROM:<me@antartida.xyz>
<- 250 2.1.0 <me@antartida.xyz>... Sender ok
-> RCPT TO:<someone@remote.site>
<- 250 2.1.5 <someone@.remote.site>... Recipient ok
-> DATA
<- 354 End data with <CR><LF>.<CR><LF>
-> Date: Tue, 12 Nov 2024 14:34:47 -0300
-> To: someone@remote.site
-> From: me@antartida.xyz
-> Subject: test Tue, 12 Nov 2024 14:34:47 -0300
-> Message-Id: <20241112143447.077593@antartida.xyz>
-> X-Mailer: swaks v20240103.0 jetmore.org/john/code/swaks/
-> X-Test: test email
->
-> This is a test mailing
->
->
-> .
<- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
-> QUIT
<- 221 2.0.0 antartida.xyz closing connection
=== Connection closed with remote host.

(*) The local maillog

This is long because I had LogLevel=15. You'll see below that opendmarc
adds the authentication-results header with a failure, but the spf and
dkim headers appear to be correct. I show these two relevant log lines
first and then I show the entire set of log lines in case it's useful.

--8<-------------------------------------------------------->8---
Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594:
antartida.xyz fail

Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter
(opendmarc) insert (1): header: Authentication-Results: antartida.xyz;
dmarc=fail (p=reject dis=none) header.from=antartida.xyz
--8<-------------------------------------------------------->8---

Now the entire SMTP session:

Nov 12 14:34:50 antartida sm-mta[77594]: NOQUEUE: connect from mx.antartida.xyz [195.88.57.140]
Nov 12 14:34:50 antartida sm-mta[77594]: AUTH: available mech=SCRAM-SHA-512 SCRAM-SHA-384 SCRAM-SHA-256 SCRAM-SHA-224 SCRAM-SHA-1 DIGEST-MD5 OTP CRAM-MD5 NTLM ANONYMOUS, allowed mech=GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc): init success to negotiate
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: connect to filters
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=connect, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 220 antartida.xyz ESMTP Sendmail 8.18.1/8.18.1; Tue, 12 Nov 2024 14:34:50 -0300 (-03)
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- EHLO antartida.xyz
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=helo, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=helo, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-antartida.xyz Hello mx.antartida.xyz [195.88.57.140], pleased to meet you
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ENHANCEDSTATUSCODES
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-PIPELINING
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-8BITMIME
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-SIZE
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DSN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-ETRN
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-AUTH DIGEST-MD5 CRAM-MD5
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-STARTTLS
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250-DELIVERBY
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 HELP
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- AUTH CRAM-MD5
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 334 PDIxNTE2NjU4MTUuMzM3OTc0NUBhbnRhcnRpZGEueHl6Pg==
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 235 2.0.0 OK Authenticated
Nov 12 14:34:50 antartida sm-mta[77594]: AUTH=server, relay=mx.antartida.xyz [195.88.57.140], authid=me, mech=CRAM-MD5, bits=0
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- MAIL FROM:<me@antartida.xyz>
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: sender: <me@antartida.xyz>
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=mail, continue
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.0 <me@antartida.xyz>... Sender ok
Nov 12 14:34:50 antartida sm-mta[77594]: 4ACHYoGx077594: <-- RCPT TO:<someone@remote.site>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter: rcpts: <someone@remote.site>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=rcpt, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.1.5 <someone@remote.site>... Recipient ok
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: <-- DATA
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 354 End data with <CR><LF>.<CR><LF>
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: from=<me@antartida.xyz>, size=287, class=0, nrcpts=1, msgid=<20241112143447.077593@antartida.xyz>, proto=ESMTPA, daemon=IPv4, relay=mx.antartida.xyz [195.88.57.140]
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 6 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=spfmilter, action=eoh, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (spfmilter) insert (0): header: Received-SPF: pass (antartida.xyz: authenticated connection) receiver=antartida.xyz; client-ip=195.88.57.140; helo=antartida.xyz; envelope-from=me@antartida.xyz; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.11;
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 7 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=eoh, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=dkim-filter, action=body, continue
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (dkim-filter) insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antartida.xyz;\n\ts=default; t=1731432891;\n\tbh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=;\n\th=Date:To:From:Subject;\n\tb=IDOMq8KnwMb7bgpeMGJOuiW/i9PbmFi9UE4df2u07P6agEeuGAbzepdq9tUmYc5w8\n\t gv5J9u2x8iALPN/6TEzVuDLBhhLfO8XCpWcuK+i5fLKKajo5cpGNVkoMI0cB36zCO3\n\t AwH/wK5f2K8YOgUbQbHYZQBLDdneC1Cp45wYmK0o=
Nov 12 14:34:51 antartida opendkim[35443]: 4ACHYoGx077594: DKIM-Signature field added (s=default, d=antartida.xyz)
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=header, continue
Nov 12 14:34:51 antartida syslogd: last message repeated 8 times
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: milter=opendmarc, action=eoh, continue
Nov 12 14:34:51 antartida opendmarc[53126]: 4ACHYoGx077594: antartida.xyz fail
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter (opendmarc) insert (1): header: Authentication-Results: antartida.xyz; dmarc=fail (p=reject dis=none) header.from=antartida.xyz
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: Milter accept: message
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoGx077594: --- 250 2.0.0 4ACHYoGx077594 Message accepted for delivery
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: <-- QUIT
Nov 12 14:34:51 antartida sm-mta[77594]: 4ACHYoH0077594: --- 221 2.0.0 antartida.xyz closing connection
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <someone@remote.site>... Connecting to aspmx.l.google.com. via esmtp...
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: makeconnection (aspmx.l.google.com. [IPv6:2607:f8b0:400c:c36:0:0:0:1b].25 (28)) failed: No route to host
Nov 12 14:34:51 antartida sm-mta[77596]: 4ACHYoGx077594: SMTP outgoing connect on mx.antartida.xyz
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: CRLFile missing
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, init=1
Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=(null), relay=aspmx.l.google.com [74.125.139.26]
Nov 12 14:34:51 antartida sm-mta[77596]: tls_clt_features=empty, stat=0, relay=aspmx.l.google.com [74.125.139.26]
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, start=ok
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS=client, info: fds=8/5, err=2
Nov 12 14:34:51 antartida sm-mta[77596]: STARTTLS: TLS cert verify: depth=2 /C=US/O=Google Trust Services LLC/CN=GTS Root R1, state=0, reason=unable to get issuer certificate
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, get_verify: 2 get_peer: 0x37afc4c39780
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, relay=aspmx.l.google.com., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, cert-subject=/CN=mx.google.com, cert-issuer=/C=US/O=Google+20Trust+20Services/CN=WR2, verifymsg=unable to get issuer certificate
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2
Nov 12 14:34:52 antartida syslogd: last message repeated 4 times
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: --- 050 <someone@remote.site>... Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: to=<someone@remote.site>, ctladdr=<me@antartida.xyz> (1003/0), delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=30287, relay=aspmx.l.google.com. [74.125.139.26], dsn=2.0.0, stat=Sent (OK 1731432897 ada2fe7eead31-4aaa7bac85asi3247497137.420 - gsmtp)
Nov 12 14:34:52 antartida sm-mta[77596]: 4ACHYoGx077594: done; delay=00:00:01, ntries=1
Nov 12 14:34:52 antartida sm-mta[77596]: NOQUEUE: --- 050 Closing connection to aspmx.l.google.com.
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=read, info: fds=8/5, err=2
Nov 12 14:34:52 antartida sm-mta[77596]: STARTTLS=client, SSL_shutdown failed: -1

On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:

> This is long because I had LogLevel=15. You'll see below that
> opendmarc adds the authentication-results header with a failure, but
> the spf and dkim headers appear to be correct. I show these two
> relevant log lines first and then I show the entire set of log lines
> in case it's useful.

If you send outgoing mail, neither SPF nor DMARC must be checked
because they fail by design in this situation.
DKIM needs to sign it, as it does.

You need to configure the dmarc milter not to check if the mail is
being submitted from your clients (e.g. because they use auth or come
from your own IP ranges).
Sadly, I cannot tell you how to configure it to do that, I had the same
problem and I am currently not using any SPF nor dmarc milters.

The opendkim milter doesn't check DKIM if authentication is being used
or a the mail comes from whitelisted IP ranges. I dunno if opendmarc
has the same options.

--
kind regards
Marco

Send spam to 1731419772muell@cartoonies.org

Marco Moock <mm+usenet-es@dorfdsl.de> writes:

> On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:
>
>> This is long because I had LogLevel=15. You'll see below that
>> opendmarc adds the authentication-results header with a failure, but
>> the spf and dkim headers appear to be correct. I show these two
>> relevant log lines first and then I show the entire set of log lines
>> in case it's useful.
>
> If you send outgoing mail, neither SPF nor DMARC must be checked
> because they fail by design in this situation.

Can you elaborate? I thought I could have authenticated users trying to
spoof mail. For instance, my domain may be antartida.xyz, but some
authenticated user could try to use, say, presidency.antartida.xyz or
something like that.

> You need to configure the dmarc milter not to check if the mail is
> being submitted from your clients (e.g. because they use auth or come
> from your own IP ranges).
> Sadly, I cannot tell you how to configure it to do that, I had the same
> problem and I am currently not using any SPF nor dmarc milters.

Thanks! We've got IgnoreAuthenticatedClients, which eliminates ``the
problem''. With this option enabled, OpenDMARC now only says it
acccepts the message---no questions asked.

--8<-------------------------------------------------------->8---
Nov 12 21:49:02 antartida sm-mta[81837]: 4AD0n2v0081837: milter=opendmarc, action=mail, accepted
--8<-------------------------------------------------------->8---

## IgnoreAuthenticatedClients { true | false }
## default "false"
##
## If set, causes mail from authenticated clients (i.e., those that used
## SMTP AUTH) to be ignored by the filter.
# IgnoreAuthenticatedClients true

(*) Other options

In the same spirit, there's also IgnoreHosts and IgnoreMailFrom.

## IgnoreHosts path
## default (internal)
##
## Specifies the path to a file that contains a list of hostnames, IP
## addresses, and/or CIDR expressions identifying hosts whose SMTP
## connections are to be ignored by the filter. If not specified, defaults
## to "127.0.0.1" only.
# # IgnoreHosts /usr/local/etc/opendmarc/ignore.hosts

## IgnoreMailFrom domain[,...]
## default (none)
##
## Gives a list of domain names whose mail (based on the From: domain) is to
## be ignored by the filter. The list should be comma-separated. Matching
## against this list is case-insensitive. The default is an empty list,
## meaning no mail is ignored.
# # IgnoreMailFrom example.com

On 12.11.2024 um 21:58 Uhr Wolfgang Agnes wrote:

> Marco Moock <mm+usenet-es@dorfdsl.de> writes:
>
> > On 12.11.2024 um 14:56 Uhr Wolfgang Agnes wrote:
> >
> >> This is long because I had LogLevel=15. You'll see below that
> >> opendmarc adds the authentication-results header with a failure,
> >> but the spf and dkim headers appear to be correct. I show these
> >> two relevant log lines first and then I show the entire set of log
> >> lines in case it's useful.
> >
> > If you send outgoing mail, neither SPF nor DMARC must be checked
> > because they fail by design in this situation.
>
> Can you elaborate?

The SPF record of a domain includes IP addresses of the outgoing mail
servers. Your users have other IP addresses from anywhere in the world.
They use authentication to proof their identity. Maybe there are
milters to map such an identity to an email address, so address forging
can be prevented.

SPF doesn't work for that.

DMARC needs DKIM and SPF to work and is intended for incoming mail. As
there is no Authentication-Results SPF header when mail is being
submitted, DMARC makes no sense here. If there is already a DKIM
signature, it could verify the policy, but that makes no sense in that
situation.
> > You need to configure the dmarc milter not to check if the mail is
> > being submitted from your clients (e.g. because they use auth or
> > come from your own IP ranges).
> > Sadly, I cannot tell you how to configure it to do that, I had the
> > same problem and I am currently not using any SPF nor dmarc
> > milters.
>
> Thanks! We've got IgnoreAuthenticatedClients, which eliminates ``the
> problem''. With this option enabled, OpenDMARC now only says it
> acccepts the message---no questions asked.

Thanks!
I was searching for that and didn't find it.

--
kind regards
Marco

Send spam to 1731445095muell@cartoonies.org