Gerben,
Note that the HELO string is only ever processed for DMARC if MAIL FROM
is <> and, even then, not all implementations process it at all (it's
dependent upon the behaviour of the underlying SPF implementation).
The <spf><domain> tag is telling you that the return path is
{something}@mail.mydomain.tld [1]
<header_from>dumbledore.mydomain.tld</header_from> tells you that the
From: header contains {something}@dumbledore.mydomain.tld, not the HELO
string or MAIL FROM domain.
Generally this means that the program that generated the message used
this domain and your MTA simply passed it through.
- Roland
1: or the return path is <> and the HELO string is mail.mydomain.tld,
and Yahoo!'s SPF implementation reports that to DMARC
------------------------------------------------------------------------
On 18/05/18 21:39, Gerben Wierda via dmarc-discuss wrote:
I’m setting up DMARC for my mail server. I tried sending a mail to an
account on the icloud.com <http://icloud.com> domain (which reports
DMARC) and there I see:
Received-Spf: pass (mr21p00im-spfmilter004.me.com
<http://mr21p00im-spfmilter004.me.com>: domain of myn...@mydomain.tld
<mailto:myn...@mydomain.tld> designates XXX.XXX.XXX.XXX as permitted
sender) receiver=mr21p00im-spfmilter004.me.com
<http://mr21p00im-spfmilter004.me.com>; client-ip=XXX.XXX.XXX.XXX;
helo=mail.mydomain.tld; envelope-from=myn...@mydomain.tld
<mailto:envelope-from=myn...@mydomain.tld>
X-Dmarc-Info: pass=pass; dmarc-policy=none; s=r1; d=r0
X-Dmarc-Policy:
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:dm...@mydomain.tld,mailto:re+vghcolsq...@dmarc.postmarkapp.com
Received: from mr11p00im-smtpin012.mac.com
<http://mr11p00im-smtpin012.mac.com> ([17.110.69.200]) by
ms20524.mac.com <http://ms20524.mac.com> (Oracle Communications
Messaging Server 8.0.1.3.20170906 64bit (built Sep 6 2017)) with
ESMTP id <0p8x00kcde2dm...@ms20524.mac.com
<mailto:0p8x00kcde2dm...@ms20524.mac.com>> for myn...@icloud.com
<mailto:myn...@icloud.com>; Fri, 18 May 2018 13:13:25 +0000 (GMT)
Received: from mail.mydomain.tld (mail.mydomain.tld [XXX.XXX.XXX.XXX])
by mr11p00im-smtpin012.me.com <http://mr11p00im-smtpin012.me.com>
(Oracle Communications Messaging Server 8.0.1.2.20170607 64bit (built
Jun 7 2017)) with ESMTPS id
<0p8x00h3ve2al...@mr11p00im-smtpin012.me.com
<mailto:0p8x00h3ve2al...@mr11p00im-smtpin012.me.com>> for
myn...@icloud.com <mailto:myn...@icloud.com> (ORCPT myn...@icloud.com
<mailto:myn...@icloud.com>); Fri, 18 May 2018 13:13:24 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])by mail.mydomain.tld
(Postfix) with ESMTP id 57F0B261CB53for <myn...@icloud.com
<mailto:myn...@icloud.com>>; Fri, 18 May 2018 15:13:21 +0200 (CEST)
Received: from mail.mydomain.tld ([127.0.0.1]) by localhost
(dumbledore.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP id b6L6g5ttGPiH for <myn...@icloud.com
<mailto:myn...@icloud.com>>;Fri, 18 May 2018 15:13:19 +0200 (CEST)
Received: from [192.168.169.103] (d4b27fea.static.ziggozakelijk.nl
<http://d4b27fea.static.ziggozakelijk.nl> [212.178.127.234])by
mail.mydomain.tld (Postfix) with ESMTPSA id 057A3261CB45for
<myn...@icloud.com <mailto:myn...@icloud.com>>; Fri, 18 May 2018
15:13:18 +0200 (CEST)
But I also got an aggregate report from Yahoo that suggests something
is wrong:
<?xml version="1.0"?>
<feedback>
<report_metadata>
<org_name>Yahoo! Inc.</org_name>
<email>postmas...@dmarc.yahoo.com
<mailto:postmas...@dmarc.yahoo.com></email>
<report_id>1526605741.475970</report_id>
<date_range>
<begin>1526515200</begin>
<end>1526601599 </end>
</date_range>
</report_metadata>
<policy_published>
<domain>mydomain.tld</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>XXX.XXX.XXX.XXX</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>quarantine</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>dumbledore.mydomain.tld</header_from>
</identifiers>
<auth_results>
<dkim>
<domain></domain>
<result>neutral</result>
</dkim>
<spf>
<domain>mail.mydomain.tld</domain>
<result>none</result>
</spf>
</auth_results>
</record>
</feedback>
This seems to suggest that Yahoo received an email from my MTA at IP
address XXX.XXX.XXX.XXX (which is the correct IP of mail.mydomain.tld)
but the header was dumbledore.mydomain.tld. Is that correct? That is
weird, because my mail server is set to use 'helo mail.mydomain.tld'.
So, apparently, it seems some program on my server is trying to send
mail to a yahoo MTA bypassing my mail server, correct? If so, it is an
unexpected catch. But I need to know if it is correct.
Thanks in advance
Gerben
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)