"Michael" <confabul...@kintzios.com>, 07.04.2020, 19:10: > This thread has been covered in depth for a while now, but I noticed something > noteworthy.
> On Monday, 6 April 2020 19:13:06 BST Stefan Schmiedl wrote: >> >> And here's an example for J. Roeleveld's observed missed original >> messages: >> >> A few days ago I sent a message to this list. As usual, I received >> a bunch of DMARC reports from mailservers rejecting the messages. >> >> > From: "Seznam.cz" <forensicdm...@seznam.cz> >> > This is a spf/dkim authentication-failure report for an email message >> > received> >> > from IP 208.92.234.80 on Sun, 05 Apr 2020 22:14:23 +0200. >> > >> > The message below did not meet the sending domain's dmarc policy. > The reason your message was *rejected*, rather than failed to be delivered/ > gone missing, was because there is a DKIM failure in its headers. This is not > the non-delivery failure Joost was talking about when an MX server has gone > offline. As I understood it, were I someb...@seznam.cz, I would not have received the original message but only the replies to it, hence observing the same strange behaviour of "missed original message but received replies" due to issues completely out of somebody's control. >> The headers of that rejected message start with >> >> > Received: from lists.gentoo.org (unknown [208.92.234.80]) >> > >> > by email-smtpd3.ng.seznam.cz (Seznam SMTPD 1.3.108) with ESMTP; >> > Sun, 05 Apr 2020 22:14:22 +0200 (CEST) >> >> This means that folks @seznam.cz (among others) will not get to see >> this message unless somebody replies to it from a domain that uses >> a less restrictive combination of SPF, DKIM and DMARC rules. > I would think the @seznam.cz recipient server obliges by following the DMARC > policy published, but ... the tag "p=none" in _dmarc.xss.de TXT means it > should neither reject, nor quarantine the message. :-/ It's been a while since I set this up, but according to RFC 7489, section 6.7 "policies of "p=none" SHOULD NOT modify existing mail disposition processing", which I understood as "the receiver can do what it wants, but I get notified about DMARC related problems". I'll update the record to quarantine and see what breaks. > In other messages the 'bh=' hash is before the 'h=' string. The sequence of > tags is: > bh=.....; > h=......; > b=....... > In Stefan's message the sequence is different: > h=......; > bh=.....; > b=....... > Perhaps the order in which recipients servers parse the headers cause the DKIM > check to fail? I really hope that is not the case as the sequence is whatever exim uses as default sequence. Outgoing mail uses this transport: remote_smtp: driver = smtp dkim_domain = ${lc:${domain:$h_from:}} dkim_selector = s1 dkim_private_key = CONFDIR/dkim/dkim.private.key dkim_canon = relaxed > This is what I see here in the headers delivered by Stephan via the gentoo- > user M/L: > Authentication-Results: <my_Vhost_server>; > dkim=fail header.d=xss.de; <== DKIM checks failed == > spf=pass (sender IP is 208.92.234.80) > [snip ...] The problem could be that the header list includes things like h=...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; which are not in my original message but are added by the mailing list software. So if you received one of my DKIM signed messages directly, the signature would work, but if you received it after it passed through a mailing list, your DKIM check would fail because it would include List-Id in the test and the test would fail. Michael, you should receive two copies of this message, one via list one directly. Could you do me the favour and let me know (offline) what the Authentication-Results for both messages look like? Thanks, s.