0

I just recently set up DMARC on my mail server and in received mails, the order of SPF, DKIM and DMARC headers are strange. Moreover, if DKIM signature missign, there is no DMARC related "Authentication-Results" header at all.

Is this correct? Shouldn't SPF auth header be before DMARC auth results?

I use postfix, opendkim, opendmark and postfix-policyd-spf-python.

Delivered-To: target@target.com
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=1.2.3.4; helo=mail.source.com; envelope-from=me@source.com; receiver=target@target.com
Authentication-Results: mail.target.com; dmarc=none header.from=source.com
Received: from mail.source.com (mail.source.com [1.2.3.4])
        by mail.target.com (Postfix) with ESMTPS id A818B3404A5
        for <target@target.com>; Sat, 27 Aug 2016 09:59:23 +0200 (CEST)
Halacs
  • 103
  • 4

2 Answers2

0

What does the DMARC TXT record look like? Is it something like this?

_dmarc.example.com. 21599 IN    TXT "v=DMARC1\;p=none\;sp=reject\;pct=100\;rua=mailto:dmarc@example.com"
Neil Anuskiewicz
  • 431
  • 1
  • 3
  • 15
  • Yes, on both side, the DMARC record looks like your example. I would have asked that whehter the validation header's order, so just the order, is correct. AFAK I should read email headers from bottom to top, which means DMARC validation was earlier than SPF validation, which is strange before DMARC means DKIM validtion at first, then SPF and if one of them failed or both of them pass can finish the whole DMARC validation. – Halacs Sep 02 '16 at 05:53
  • I don't think he's missing a dmarc record unless it's misconfigured. Is it is **_dmarc** as the host that points to? It'd be cool if you'd post it as it's easy to make an error in those that's subtle. DMARC is kind of like the policy wonk and SPF and DKIM are kind of middle managers carryout out the policies as best they can. So I think you could think of DMARC as being higher level than SPF and DKIM. Essential as spf and dkim sort of lack teeth wihtout DMARC policies at ISP's and the like and you, too for your incoming mail. So I would think DMARC first. – Neil Anuskiewicz Sep 02 '16 at 06:55
  • i think that your DMARC first thing first makes sense, to me anyway, as you ask the boss what the goal is first before you go out and start soft failing or hard failing email, man. Did you validate DMARC? Here's some [DMARC tools, including validation.](https://dmarc.org/resources/deployment-tools/). What I don't understand is why don't people post everything that could be relevant? i often feel like one hand tied behind my back missing what to me seems important, in this case at least the _DMARC. In other posts someone asked about their zone file but didn't post it. Why not? – Neil Anuskiewicz Sep 02 '16 at 07:03
0

The result contains

dmarc=none

It seems that you are missing dmarc record such that you won't see any spf and dkim related information in it.

Gnought
  • 176
  • 4