-2

Why is opendmarc rejecting mail from firefox.com? It looks like their SPF record matches their sending address and does pass:

v=spf1 mx a include:amazonses.com include:mail.zendesk.com -all

/var/log/maillog:

postfix/smtpd[19221]: connect from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]
postfix/smtpd[19221]: Anonymous TLS connection established from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
postfix/smtpd[19221]: 559B1453AE7: client=a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]
postfix/cleanup[19242]: 559B1453AE7: message-id=<01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com>
opendkim[25641]: 559B1453AE7: a59-48.smtp-out.us-west-2.amazonses.com [54.240.59.48] not internal
opendkim[25641]: 559B1453AE7: not authenticated
opendkim[25641]: 559B1453AE7: message has signatures from firefox.com, amazonses.com
opendkim[25641]: 559B1453AE7: DKIM verification successful
opendmarc[25631]: 559B1453AE7 ignoring Authentication-Results at 1 from ip-172-31-2-211.ec2.internal
opendmarc[25631]: 559B1453AE7: SPF(mailfrom): 01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com pass
opendmarc[25631]: 559B1453AE7: **firefox.com fail**
postfix/cleanup[19242]: 559B1453AE7: milter-reject: END-OF-MESSAGE from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]: 5.7.1 rejected by DMARC policy for firefox.com; from=<01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com> to=<redacted@redacted.com> proto=ESMTP helo=<a59-48.smtp-out.us-west-2.amazonses.com>
Andrew
  • 145
  • 8
  • If you add your configuration, the mistake would probably be more obvious. Specifically, look for `AuthservID` in your `opendkim.conf` and `opendmarc.conf`! – anx Oct 09 '20 at 15:17

1 Answers1

0

In DMARC the rules about which address matters are described as identifier alignment, and describe the manner in which the SPF-authenticated domain must match the domain the From-Header.

You are looking at logs for a mail that is not aligned in that sense: I can tell from your opendmarc logs that you were receiving a mail that was checked for alignment with firefox.com - but the SPF authorization above refers to .amazonses.com.

I cannot tell with certainty from your logs what excactly happened to the other method, DKIM. You can best figure out that part by receiving mail from a known-good sender and looking at the Authentication-Results: headers. I suspect the ignored header from ip-172-31-2-211.ec2.internal is yours, in that place opendkim & opendmarc should probably be configured to use something globally unique (172.16.0.0/12 is NOT), such as your MX FQDN instead.

anx
  • 6,875
  • 4
  • 22
  • 45
  • Are you saying their SPF record is wrong? Did they incorrectly omit their sending domain (firefox.com) even though all mail comes from a amazonses IP? And yes, ip-172-31-2-211.ec2.internal is me. – Andrew Oct 09 '20 at 15:06
  • @Andrew If that header is yours, why are you `ignoring` it? You should fix your *opendkim* and *opendmarc* configuration. – anx Oct 09 '20 at 15:10