Problem with SPF, DKIM or Mailman-DMARC settings
Dear Mailman-Users,
I have a Mailman instance running on a vServer with Plesk, but am using email services from my provider (different IP and MX-Domain than the Mailman machine). Emails in the format name@domain.tld generally seem to work. However, when I send an email from the same adress to one of my Mailman lists at subdomain.domain.tld, I get many bouncees who will eventually be removed from the list.
My question is: What is wrong here, my SPF or DKIM settings OR my Mailman-DMARC settings?
My Mailman-DMARC settings are the following:
from_is_list: No anonymous_list: No dmarc_moderation_action: Munge from dmarc_quarantine_moderation_action: Yes dmarc_none_moderation_action: No
From Google I received reports of which the following XML is a clipping:
<?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> ... </report_metadata> <policy_published> <domain>subdomain.domain.tld</domain> <adkim>r</adkim> <aspf>r</aspf> <p>reject</p> <sp>reject</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>123.456.78.90</source_ip> <count>1</count> <policy_evaluated> <disposition>quarantine</disposition> <dkim>fail</dkim> <spf>fail</spf> <reason> <type>forwarded</type> <comment>looks forwarded, downgrade to quarantine with phishing warning</comment> </reason> </policy_evaluated> </row> <identifiers> <header_from>subdomain.domain.tld</header_from> </identifiers> <auth_results> <dkim> <domain>subdomain.domain.tld</domain> <result>fail</result> <selector>default</selector> </dkim> <spf> <domain>subdomain.domain.tld</domain> <result>softfail</result> </spf> </auth_results> </record> <record> <row> <source_ip>123.456.789.0</source_ip> <count>1</count> <policy_evaluated> <disposition>quarantine</disposition> <dkim>fail</dkim> <spf>fail</spf> <reason> <type>forwarded</type> <comment>looks forwarded, downgrade to quarantine with phishing warning</comment> </reason> </policy_evaluated> </row> <identifiers> <header_from>subdomain.domain.tld</header_from> </identifiers> <auth_results> <dkim> <domain>subdomain.domain.tld</domain> <result>fail</result> <selector>default</selector> </dkim> <spf> <domain>some.random.domain.name</domain> <result>pass</result> </spf> </auth_results> </record>
Thanks for your help! CK
Kala Balik writes:
Dear Mailman-Users,
I have a Mailman instance running on a vServer with Plesk, but am using email services from my provider (different IP and MX-Domain than the Mailman machine). Emails in the format name@domain.tld generally seem to work. However, when I send an email from the same adress to one of my Mailman lists at subdomain.domain.tld, I get many bouncees who will eventually be removed from the list.
My question is: What is wrong here, my SPF or DKIM settings
Can't speak to those, but only guess, since you don't provide them. SPF is irrelevant to mailman; it will always fail unless the original sender and the mailing list use the same IP address. My guess is that there is a problem with your DKIM setup, see below.
OR my Mailman-DMARC settings?
My Mailman-DMARC settings are the following:
from_is_list: No anonymous_list: No dmarc_moderation_action: Munge from dmarc_quarantine_moderation_action: Yes dmarc_none_moderation_action: No
These are expected and should be sufficient to prevent DMARC rejects. I do not understand the behavior you describe. Some guesses below, and a description of what I think "should" be happening. Maybe that will spark a thought as to what's going one here.
Wild guess: There is also a setting in Mailman to remove DKIM signatures. If Google is only evaluating the broken DKIM SIG#1, and not the good SIG#2, this should help. (SIG#1 and SIG#2 are explained below.)
From Google I received reports of which the following XML is a clipping: <policy_published> <domain>subdomain.domain.tld</domain> <adkim>r</adkim> <aspf>r</aspf> <p>reject</p> <sp>reject</sp> <pct>100</pct> </policy_published>
The Munge_from action replaces the From email address of the author with the From address of the list. Google is saying that you have set the DMARC policy for your subdomain to "p=reject". Is that correct?
Then it says
<dkim>fail</dkim> <spf>fail</spf>
so the authentication of this message against your server has failed. I can't say why SPF failed; if there are any MXes between you and Google that would do the trick. It is strange that DKIM fails. What I would expect to happen is
1. You compose mail "From: you@subdomain.domain.tld", and pass it
to your MTA.
2. The MTA signs the mail with DKIM (SIG#1), and passes the mail
to Mailman.
3. Mailman adds stuff to the mail and breaks SIG#1.
4. Mailman checks your DMARC policy, which is "p=reject".
5. Mailman changes From from "you@subdomain.domain.tld" to
"list@subdomain.domain.tld".
4. Mailman passes the mail (back) to the MTA.
5. The MTA signs the mail (as altered by Mailman) with DKIM (SIG#2).
6. The MTA passes the mail to Google.
7. Google checks SPF, SIG#2, and SIG#1, getting (fail, pass, fail).
#### This is what's different. Maybe Google only checks SIG#1?
But DKIM signatures are treated as "trace" fields, which means
that SIG#2 should come *first* in the message. So I would think
if Google only checks one, that would be the one to check.
8. Google checks your DMARC policy, which is "p=reject".
9. Since SIG#2, which passed, is from subdomain.domain.tld and so
is From, DMARC passes.
But for some reason DKIM fails. Without more information, I can't say why. Perhaps your MTA isn't signing outgoing from Mailman? Perhaps your submission server does the signing for individual mail and the MTA doesn't sign at all? Perhaps the signing milter in the MTA is configured before some other milter that changes things? Perhaps there's something else between the MTA Mailman talks to and Google that is altering the mail?
<reason> <type>forwarded</type> <comment>looks forwarded, downgrade to quarantine with
phishing warning</comment> </reason> </policy_evaluated>
I'm not sure what this is about. I would expect Google to see your list traffic as list traffic, so that "looks forwarded" is normal and should not be considered a reason for quarantine. Do you have the RFC 2369 "List-*" headers enabled?
Hope this helps.
Steve
On 11/5/20 4:54 PM, Kala Balik wrote:
My question is: What is wrong here, my SPF or DKIM settings OR my Mailman-DMARC settings?
I suspect it is your DKIM signing settings that sign the mail if it is To: name@domain.tld but not if it is To:name@subdomain.domain.tld.
Are you signing with opendkim? If so, what are your opendkin.conf settings for SenderHeaders and SigningTable and what is the content of the file referred to by SigningTable?
-- Mark Sapiro <mark@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Kala Balik
-
Mark Sapiro
-
Stephen J. Turnbull