On Monday, April 04, 2016 08:59:51 PM RW wrote: > I'm assuming that you are using these rules: > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > > meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && > __DMARC_POLICY_REJECT > > __DMARC_POLICY_REJECT comes from a dns look-up which says that the > policy is to reject. The rule will then fire if neither DKIM_VALID_AU > nor SPF_PASS hit. > > SPF can't be used here because there's no envelope sender, dkim > passes but it's signed by mx.aol.com not by the domain in the > header from address, so DKIM_VALID_AU doesn't get hit either. >
That's invalid, though. DMARC allows a subdomain to sign the mail with a relaxed alignment policy. The original message should have passed a DMARC test. > > So ultimately who's at fault here for causing this to fail? AOL? What > > should have been done to prevent it? > > AOL, I guess. Uh, no. The test is bad.
