Am 15.08.2016 um 18:12 schrieb Pat Suwalski: > Hello, > > I'm looked in every corner of the internet for a solution to this > seemingly simple problem I'm having. > > Last week, I started signing mail with opendkim, and hope to have DMARC > fully implemented for all of my domains. > > I host dozens of domains, and send all of their mail through a single > outward-facing postfix server (we'll call it mymailserver.com). > > At this point, everything works with DKIM, but DMARC fails because > Postfix's "MAIL FROM" envelope does not match the domain name from the > numerous hosted domains. I believe "MAIL FROM" uses the $mydomain, which > in this case is "mymailserver.com". > > The DMARC reports come back with: > > <record> > <row> > <source_ip>11.22.33.44</source_ip> > <count>1</count> > <policy_evaluated> > <disposition>none</disposition> > <dkim>pass</dkim> > <spf>fail</spf> > </policy_evaluated> > </row> > <identifiers> > <header_from>somedomain.com</header_from> > </identifiers> > <auth_results> > <dkim> > <domain>somedomain.com</domain> > <result>pass</result> > </dkim> > <spf> > <domain>mymailserver.com</domain> > <result>pass</result> > </spf> > </auth_results> > </record> > > As you can see, although DKIM and SPF pass individually, the DMARC > policy still marks SPF as "fail" simply because the 5322.From is > "somedomain.com" and 5321.MailFrom is "mymailserver.com". > > Is there a simple directive to give Postfix so that it always passes > "MAIL FROM" matching the "From" for trusted hosts? > > Thanks a million, > --Pat
i am not sure what your problem is ( do you mean sending reports with strict spf ? ) however have a look on this too in your concept https://tools.ietf.org/html/rfc7489 7.1. Verifying External Destinations ... For example, if a DMARC policy query for "blue.example.com" contained "rua=mailto:repo...@red.example.net", the host extracted from the latter ("red.example.net") does not match "blue.example.com", so this procedure is enacted. A TXT query for "blue.example.com._report._dmarc.red.example.net" is issued. If a single reply comes back containing a tag of "v=DMARC1", then the relationship between the two is confirmed. Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein