Recently I've had some incoming emails be rejected by my mail server for failing DMARC checks. Upon closer inspection I noticed that the logs mentioned that the rejection was because OpenDMARC was applying my policy instead of the sender's policy. A, slightly redacted, example of a failed exchange sending mail from info@random.tld
to random.tld@mydomain.tld
would be
postfix/smtpd[19698]: connect from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]
postfix/smtpd[19698]: Anonymous TLS connection established from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
policyd-spf[19706]: Pass; identity=helo; client-ip=40.107.8.52; helo=eur04-vi1-obe.outbound.protection.outlook.com; envelope-from=info@random.tld; receiver=random.tld@mydomain.tld
policyd-spf[19706]: Pass; identity=mailfrom; client-ip=40.107.8.52; helo=eur04-vi1-obe.outbound.protection.outlook.com; envelope-from=info@random.tld; receiver=random.tld@mydomain.tld
postfix/smtpd[19698]: 3578F66A0006: client=mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]
postfix/cleanup[19707]: 3578F66A0006: message-id=<AM5PR0201MB22602B5B4998B49514A63C76B2540@AM5PR0201MB2260.eurprd02.prod.outlook.com>
opendkim[598]: 3578F66A0006: mail-eopbgr80052.outbound.protection.outlook.com [40.107.8.52] not internal
opendkim[598]: 3578F66A0006: not authenticated
opendkim[598]: 3578F66A0006: failed to parse Authentication-Results: header field
opendkim[598]: 3578F66A0006: DKIM verification successful
opendkim[598]: 3578F66A0006: s=selector1-random.tld d=random.onmicrosoft.com SSL
opendmarc[605]: implicit authentication service: mail.mydomain.tld
opendmarc[605]: 3578F66A0006 ignoring Authentication-Results at 1 from vps.mydomain.tld
opendmarc[605]: 3578F66A0006: mydomain.tld fail
postfix/cleanup[19707]: 3578F66A0006: milter-reject: END-OF-MESSAGE from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52]: 5.7.1 rejected by DMARC policy for mydomain.tld; from=<info@random.tld> to=<random.tld@mydomain.tld> proto=ESMTP helo=<EUR04-VI1-obe.outbound.protection.outlook.com>
postfix/smtpd[19698]: disconnect from mail-eopbgr80052.outbound.protection.outlook.com[40.107.8.52] ehlo=2 starttls=1 mail=1 rcpt=1 data=0/1 quit=1 commands=6/7
Note the third line from the bottom. In this specific case the sender does not have their own DMARC policy. Other emails send from info@random.tld
tend to arrive just fine.
In the last year it has also failed once on forwarding my work account and once forwarding my university account.
Can this behavior be caused by a certain (mis)configuration on either end, or is this a bug?
I am running OpenDMARC version 1.3.1. With the following config, trimmed for clarity:
## AuthservID (string)
## defaults to MTA name
#
AuthservID mail.mydomain.tld
PidFile /var/run/opendmarc.pid
## RejectFailures { true | false }
## default "false"
##
RejectFailures true
Syslog true
UserID opendmarc:opendmarc
PublicSuffixList /usr/share/publicsuffix/
IgnoreAuthenticatedClients true