On Mon, 4 Apr 2016 15:29:40 -0400 Alex wrote: > Hi, > > >> >> Can someone help me understand why this auto-away message failed > >> >> the DMARC tests? > >> >> > >> >> http://pastebin.com/wXhxex92 > >> >> > >> >> It looks like it passed through an AOL MX, yet SPF still > >> >> failed. > >> > > >> > It didn't fail SPF, it failed to pass because there's no envelope > >> > sender address. > >> > >> DMARC think in alignments. Authentication for SPF or DKIM (or both) > >> must be aligned with RFC5322.From. > >> > >> SPF bind RFC5321.MailFrom to an Entiry. For any > >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is > >> required to be empty. So SPF *never* could be aligned to > >> RFC5322.From for such messages. > > > > FWIW automated replies are allowed to have a null address, but > > it's not required. > > > > The important thing is that this one didn't. > > > >> The only way to generate a DMARC=pass is DKIM. A domainowner has to > >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement > >> to the RFC5322.From. > > > > I assume the OP knows why it didn't pass DKIM since he specifically > > mentioned SPF. > > No, I really don't understand. I have a basic understanding of > DKIM/DMARC and understand it's dependent upon SPF, which is why I > mentioned that. > > If I recall, these are treated essentially as DSNs, correct? In these > cases, the From is null.z)/x
What matters here is that the the envelope sender was empty rather than why it was empty. I'm assuming that you are using these rules: https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && __DMARC_POLICY_REJECT __DMARC_POLICY_REJECT comes from a dns look-up which says that the policy is to reject. The rule will then fire if neither DKIM_VALID_AU nor SPF_PASS hit. SPF can't be used here because there's no envelope sender, dkim passes but it's signed by mx.aol.com not by the domain in the header from address, so DKIM_VALID_AU doesn't get hit either. > So ultimately who's at fault here for causing this to fail? AOL? What > should have been done to prevent it? AOL, I guess.
