This is a follow-up from "Why is my opendmarc failing pretty much everything that comes through?". I'm really struggling to understand what is going on.
Outgoing mail is verified correctly by the receiving end (e.g., Gmail). Some incoming mail seems to be verified OK by my system (e.g., from Gmail, although sometimes my system fails gmail, not sure why).
Here is a full e-mail with all the headers as received by my mail client. This is sent from one domain that I control (unijobs.it) which has DKIM signing on, to another domain that I control (morpheu5.net) that doesn't have signing but the MTA is the same and configured to verify DKIM signatures, and DMARC with opendmarc, which also self-checks SPF records.
Return-Path: <info@unijobs.it>
Delivered-To: info@morpheu5.net
Received: from mail.morpheu5.net ([172.18.0.14])
by 9f813b9f7008 with LMTP
id 5tWtJGjL4luwGQAA6DItRA
(envelope-from <info@unijobs.it>)
for <info@morpheu5.net>; Wed, 07 Nov 2018 11:24:24 +0000
Received: from dhcp-10-248-111-49.eduroam.wireless.private.cam.ac.uk (global-5-142.nat-2.net.cam.ac.uk [131.111.5.142])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.morpheu5.net (Postfix) with ESMTPSA id 24107100B2EB
for <info@morpheu5.net>; Wed, 7 Nov 2018 11:24:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unijobs.it; s=mail;
t=1541589864; bh=2smQQPcPgnXpmp5mA1IMZoy38oz3CAJ+c7rCDD9nDJM=;
h=From:Subject:Date:To:From;
b=QqUwksIMLQSQ9GPbHAQcPj+4YpYYp63bHw48aar2ZOrYI47qYKSMnV6gm3d/zBoH2
ylBBuHDu5JEkpFu5bOS/6a1TwnGfhKzAWc7mpDc9ZOb63Yg3g/E4DmmISfZ494i/fQ
6JWB2QhKqwPurPSOxjgokSWq1AfHFQbQPHVXjzfw=
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=quarantine dis=none) header.from=unijobs.it
Authentication-Results: mail.morpheu5.net; spf=fail smtp.mailfrom=info@unijobs.it
From: "Andrea Franceschini (UniJobs.it)" <info@unijobs.it>
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: A test message for Server Fault
Message-Id: <C28B9FE8-ECB5-4402-B3BA-0AB7F4B29B9B@unijobs.it>
Date: Wed, 7 Nov 2018 11:24:23 +0000
To: info@morpheu5.net
X-Mailer: Apple Mail (2.3445.9.1)
X-Spam-Status: No, score=3.5 required=5.0 tests=DKIM_ADSP_ALL,
DNS_FROM_AHBL_RHSBL,UNPARSEABLE_RELAY autolearn=no autolearn_force=no
version=3.4.0
X-Spam-Level: ***
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b
This is a drill. I repeat, this is a drill.
Please ignore.
The logs are most unhelpful:
postfix/submission/smtpd[109]: Anonymous TLS connection established from global-5-142.nat-2.net.cam.ac.uk[131.111.5.142]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
postfix/submission/smtpd[109]: 24107100B2EB: client=global-5-142.nat-2.net.cam.ac.uk[131.111.5.142], sasl_method=PLAIN, sasl_username=info@unijobs.it
postfix/cleanup[120]: 24107100B2EB: message-id=<C28B9FE8-ECB5-4402-B3BA-0AB7F4B29B9B@unijobs.it>
opendmarc[24]: 24107100B2EB: SPF(mailfrom): info@unijobs.it fail
opendmarc[24]: 24107100B2EB: unijobs.it fail
opendkim[25]: 24107100B2EB: DKIM-Signature field added (s=mail, d=unijobs.it)
postfix/qmgr[97]: 24107100B2EB: from=<info@unijobs.it>, size=849, nrcpt=1 (queue active)
postfix/lmtp[121]: 24107100B2EB: to=<info@morpheu5.net>, relay=mopsmailer_dovecot[172.18.0.20]:24, delay=0.53, delays=0.47/0.02/0.02/0.02, dsn=2.0.0, status=sent (250 2.0.0 <info@morpheu5.net> 5tWtJGjL4luwGQAA6DItRA Saved)
postfix/qmgr[97]: 24107100B2EB: removed
I am a little confused by the location of the SPF and DMARC failures before the "DKIM-Signature field added" line: is it that opendmarc is trying to validate the outgoing message while it is going out, and not the inbound message while it's coming in?
If I "ignore authenticated clients" I "solve" the issue of course, but that is only because the checks aren't being performed on messages sent from my MTA to itself. In principle, validation should work nevertheless, right?
Please refer to the other question (see top) for info on configuration.
