In one version you also havedkim=pass (1024-bit key; unprotected)
header.d=amazon.de
[email protected] header.b=AOE4Rr31
which is an aligned pass because marketplace.amazon.de inherits amazon.de's
record which doesn't specify strictness of alignment and therefore defaults to
relaxed.
You actually have both multiple results in a single Authentication-Results
header and multiple Authentication-Results headers.
Elizabeth
On Tuesday, June 16, 2015 11:03 AM, A. Schulze via dmarc-discuss
<[email protected]> wrote:
Hello John,
John Levine via dmarc-discuss:
> It looks fine.
in which sense?
- RFC5322.From is "amazon.DE"
- SPF pass for "bounces.amazon.COM"
- DKIM pass for "amazonses.COM"
so neither SPF nor DKIM is aligned. according to the published record
the message should be quarantined:
$ opendmarc-check amazon.de
DMARC record for amazon.de:
Sample percentage: 100
DKIM alignment: relaxed
SPF alignment: relaxed
Domain policy: quarantine
Subdomain policy: unspecified
Aggregate report URIs:
mailto:[email protected]
Forensic report URIs:
mailto:[email protected]
> How does your code pass the DKIM validation results to the DMARC code?
it's a bunch of milters plugged to postfix:
smf-spf + opendkim + opendmarc
>> Authentication-Results: idvmailin13.datevnet.de;
>> dkim=pass (1024-bit key; unprotected) header.d=amazonses.com
>> [email protected] header.b=IGahw/4Y
>> Authentication-Results: idvmailin13.datevnet.de;
>> spf=pass
>> smtp.mailfrom=<201506160039204c745a2b7a8d4cd89e6e312cb96417e9-cuo19kbgo1...@bounces.amazon.com>
>> smtp.helo=a0-79.smtp-out.eu-west-1.amazonses.com
>
> I have never seen an A-R implementation that added multiple headers.
> Everyone else puts all the results in one header, separated by
> semicolons. If your code reads the A-R header, that's likely the
> problem, it only expects one A-R header so it only looks at the first
> one, which in this case happens not to include a result that makes
> DMARC happy.
Oh, never thought about that. I know that scheme (separate A-R header)
since years. You're right. they may be combined to only one A-R.
But the way I use it they insert multiple A-R header.
Would be good to hear from Murray if this is the intended use-case for
OpenDMARC. In general I know OpenDMARC simply as an A-R header parser.
So my assumptions could not be completely wrong...
Andreas
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
