On 2016-04-04, RW <rwmailli...@googlemail.com> wrote: > On Mon, 4 Apr 2016 15:29:40 -0400 > Alex wrote: > >> >> >> Can someone help me understand why this auto-away message failed >> >> >> the DMARC tests? >> >> >> >> >> >> http://pastebin.com/wXhxex92 >> >> >> >> >> >> It looks like it passed through an AOL MX, yet SPF still >> >> >> failed. >> >> > >> >> > It didn't fail SPF, it failed to pass because there's no envelope >> >> > sender address. >> >> >> >> DMARC think in alignments. Authentication for SPF or DKIM (or both) >> >> must be aligned with RFC5322.From. >> >> >> >> SPF bind RFC5321.MailFrom to an Entiry. For any >> >> DeliveryStatusNotification or Autoresonder the RFC5321.MailFrom is >> >> required to be empty. So SPF *never* could be aligned to >> >> RFC5322.From for such messages. >> > >> > FWIW automated replies are allowed to have a null address, but >> > it's not required. >> > >> > The important thing is that this one didn't. >> > >> >> The only way to generate a DMARC=pass is DKIM. A domainowner has to >> >> DKIM-sign DeliveryStatusNotification or Autoresonder in alignement >> >> to the RFC5322.From. >> > >> > I assume the OP knows why it didn't pass DKIM since he specifically >> > mentioned SPF. >> >> No, I really don't understand. I have a basic understanding of >> DKIM/DMARC and understand it's dependent upon SPF, which is why I >> mentioned that. >> >> If I recall, these are treated essentially as DSNs, correct? In these >> cases, the From is null.z)/x > > What matters here is that the the envelope sender was empty rather than > why it was empty. > > I'm assuming that you are using these rules: > > https://blog.laussat.de/2014/11/06/using-dmarc-in-spamassassin-native/ > > > meta DMARC_FAIL_REJECT !(DKIM_VALID_AU || SPF_PASS) && > __DMARC_POLICY_REJECT > > __DMARC_POLICY_REJECT comes from a dns look-up which says that the > policy is to reject. The rule will then fire if neither DKIM_VALID_AU > nor SPF_PASS hit. > > SPF can't be used here because there's no envelope sender, dkim > passes but it's signed by mx.aol.com not by the domain in the > header from address, so DKIM_VALID_AU doesn't get hit either.
These rules are broken, then. The default identifier alignment for DMARC is relaxed, so mail with a valid DKIM signature from *.aol.com should pass. >> So ultimately who's at fault here for causing this to fail? AOL? What >> should have been done to prevent it? > > AOL, I guess. AOL is doing everything correctly.
