[dmarc-discuss] Amazon email rejected by OpenDMARC but SPF & DKIM are OK

Arnaud de Prelle arnaud at pnzone.net
Tue Sep 30 03:42:51 PDT 2014


Dear list members,

Last night, an email being sent from annonce at amazon.fr got quarantined 
on my inbound mail server.

The headers of this email states that both SPF & DKIM succeeded but 
DMARC marked it as fail and quarantined it as a consequence :

   Received-SPF: Pass (icecube.pnzone.net: domain of bounces.amazon.com 
designates 54.240.0.150 as permitted sender) client-ip=54.240.0.150; 
envelope-from="2014092923KDLU8DNWCC at bounces.amazon.com"; 
helo=a0-150.smtp-out.eu-west-1.amazonses.com; 
receiver=icecube.pnzone.net; mechanism="include:amazon.com"; 
identity=mailfrom
   DMARC-Filter: OpenDMARC Filter v1.3.0 icecube.pnzone.net 
s8TNlnH1021919
   Authentication-Results: icecube.pnzone.net; dmarc=fail 
header.from=amazon.fr
   Authentication-Results: icecube.pnzone.net; dkim=pass
     reason="1024-bit key; unprotected key"
     header.d=amazonses.com header.i=@amazonses.com header.b=BOrJMGL0;
     dkim-adsp=pass; dkim-atps=neutral

The only strange thing with this email is that it contains a double 
DKIM-Signature, the second one appearing just after the first one:

   DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
         s=shh3fegwg5fppqsuzphvschd53n6ihuv; d=amazonses.com; 
t=1412034462;
         
h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type:Feedback-ID;
         bh=VKyERykOnXuwT148K9JRiUB/yQMG2z9j51TvQm8FOv0=;
         
b=BOrJMGL0Qc0MsuAk2CZcsoMOkisE/ggL3EWt5IPaxF8M6cLBTR9MI3wIvHgAf+2T
         
0i5eYA81dJggz74BU1Z2E7E4wTdc3IFaitDeoHrpQddw8DVe9wPR7WTa7bPP6Z7lm7O
         mGzOKly8zxSLzjE7s1NMup4dDPB5uNh/v9mq/gto=
   DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
         s=5zdoyfqyfxlifezpzeq2nfprqa2dkxl2; d=amazon.fr; t=1412034462;
         h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type;
         bh=VKyERykOnXuwT148K9JRiUB/yQMG2z9j51TvQm8FOv0=;
         
b=DqaoivmnqwYCu8gsqIv0rbbYo+2Jg9N6rmsVadUZfWV2enqsypgC8i4HQ7qHv4is
         
szwWNBIH2+Dit/Um/Rw14fbQwvGYI//Dn++Fwsa6pG9wdKAHS8k2/mfnSY6Yso6urO8
         eDZjBm2jTZK5OqOhbJzfAv1vEv6//l5QrujZof4s=

All the rest looks OK.


Details of my configuration:
   root at icecube:/var/spool/mqueue# cat /etc/issue.net
   Debian GNU/Linux jessie/sid

   root at icecube:/var/spool/mqueue# uname -a
   Linux icecube.pnzone.net 3.16-2-amd64 #1 SMP Debian 3.16.3-2 
(2014-09-20) x86_64 GNU/Linux

   root at icecube:/var/spool/mqueue# dpkg -l opendmarc
   Desired=Unknown/Install/Remove/Purge/Hold
   | 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name            Version      Architecture Description
   
+++-===============-============-============-====================================
   ii  opendmarc       1.3.0+dfsg-1 amd64        Milter implementation of 
DMARC

   root at icecube:/var/spool/mqueue# dpkg -l opendkim
   Desired=Unknown/Install/Remove/Purge/Hold
   | 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name            Version      Architecture Description
   
+++-===============-============-============-====================================
   ii  opendkim        2.9.2-1      amd64        Milter implementation of 
DomainKeys

   root at icecube:/var/spool/mqueue# dpkg -l spf-milter-python
   Desired=Unknown/Install/Remove/Purge/Hold
   | 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name                                Version                
Architecture           Description
   
+++-===================================-======================-======================-============================================================================
   ii  spf-milter-python                   0.8.18-2               all     
                RFC 4408 compliant SPF Milter for Sendmail and Postfix

   root at icecube:/var/spool/mqueue# dpkg -l sendmail
   Desired=Unknown/Install/Remove/Purge/Hold
   | 
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
   |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
   ||/ Name                                Version                
Architecture           Description
   
+++-===================================-======================-======================-============================================================================
   ii  sendmail                            8.14.4-7               all     
                powerful, efficient, and scalable Mail Transport Agent 
(metapackage)

   root at icecube:/var/spool/mqueue# grep dmarc /etc/mail/sendmail.cf
   O InputMailFilters=clmilter, spfmilter, opendkim, opendmarc
   Xopendmarc, S=local:/var/run/opendmarc/opendmarc.sock
   # INPUT_MAIL_FILTER(`opendmarc', 
`S=local:/var/run/opendmarc/opendmarc.sock')

Is this a known issue or am I missing something ?

Thanks,
Arnaud.




More information about the dmarc-discuss mailing list