"Michael" <confabul...@kintzios.com>, 07.04.2020, 19:10:
> This thread has been covered in depth for a while now, but I noticed something
> noteworthy.
> On Monday, 6 April 2020 19:13:06 BST Stefan Schmiedl wrote:
>>
>> And here's an example for J. Roeleveld's observed missed original
>> messages:
>>
>> A few days ago I sent a message to this list. As usual, I received
>> a bunch of DMARC reports from mailservers rejecting the messages.
>>
>> > From: "Seznam.cz" <forensicdm...@seznam.cz>
>> > This is a spf/dkim authentication-failure report for an email message
>> > received>
>> > from IP 208.92.234.80 on Sun, 05 Apr 2020 22:14:23 +0200.
>> >
>> > The message below did not meet the sending domain's dmarc policy.
> The reason your message was *rejected*, rather than failed to be delivered/
> gone missing, was because there is a DKIM failure in its headers. This is not
> the non-delivery failure Joost was talking about when an MX server has gone
> offline.
As I understood it, were I someb...@seznam.cz, I would not have
received the original message but only the replies to it, hence
observing the same strange behaviour of "missed original message
but received replies" due to issues completely out of somebody's
control.
>> The headers of that rejected message start with
>>
>> > Received: from lists.gentoo.org (unknown [208.92.234.80])
>> >
>> > by email-smtpd3.ng.seznam.cz (Seznam SMTPD 1.3.108) with ESMTP;
>> > Sun, 05 Apr 2020 22:14:22 +0200 (CEST)
>>
>> This means that folks @seznam.cz (among others) will not get to see
>> this message unless somebody replies to it from a domain that uses
>> a less restrictive combination of SPF, DKIM and DMARC rules.
> I would think the @seznam.cz recipient server obliges by following the DMARC
> policy published, but ... the tag "p=none" in _dmarc.xss.de TXT means it
> should neither reject, nor quarantine the message. :-/
It's been a while since I set this up, but according to RFC 7489,
section 6.7 "policies of "p=none" SHOULD NOT modify existing mail
disposition processing", which I understood as "the receiver can
do what it wants, but I get notified about DMARC related problems".
I'll update the record to quarantine and see what breaks.
> In other messages the 'bh=' hash is before the 'h=' string. The sequence of
> tags is:
> bh=.....;
> h=......;
> b=.......
> In Stefan's message the sequence is different:
> h=......;
> bh=.....;
> b=.......
> Perhaps the order in which recipients servers parse the headers cause the DKIM
> check to fail?
I really hope that is not the case as the sequence is whatever
exim uses as default sequence. Outgoing mail uses this transport:
remote_smtp:
driver = smtp
dkim_domain = ${lc:${domain:$h_from:}}
dkim_selector = s1
dkim_private_key = CONFDIR/dkim/dkim.private.key
dkim_canon = relaxed
> This is what I see here in the headers delivered by Stephan via the gentoo-
> user M/L:
> Authentication-Results: <my_Vhost_server>;
> dkim=fail header.d=xss.de; <== DKIM checks failed ==
> spf=pass (sender IP is 208.92.234.80)
> [snip ...]
The problem could be that the header list includes things like
h=...:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
which are not in my original message but are added by the mailing list
software. So if you received one of my DKIM signed messages directly,
the signature would work, but if you received it after it passed
through a mailing list, your DKIM check would fail because it would
include List-Id in the test and the test would fail.
Michael, you should receive two copies of this message, one via list
one directly. Could you do me the favour and let me know (offline)
what the Authentication-Results for both messages look like?
Thanks,
s.
