[dmarc-discuss] Amazon email rejected by OpenDMARC but SPF & DKIM are OK

John Levine johnl at taugh.com
Tue Sep 30 04:17:50 PDT 2014

>   Authentication-Results: icecube.pnzone.net; dmarc=fail 
>   Authentication-Results: icecube.pnzone.net; dkim=pass
>     reason="1024-bit key; unprotected key"
>     header.d=amazonses.com header.i=@amazonses.com header.b=BOrJMGL0;
>     dkim-adsp=pass; dkim-atps=neutral
>The only strange thing with this email is that it contains a double 
>DKIM-Signature, the second one appearing just after the first one:

The Authentication-Results header doesn't mention the second DKIM signature,
and that's the one that matters for DMARC since it's the one with d=amazon.fr
to match from From: address.

Can you check the message to see if that signature is in fact good?  If it is,
you've probably found a bug.  I also use opendmarc and as I recall, it does
the right thing with multiple DKIM signatures so long as your MTA gives it all
the signatures. I'd start by checking the code in the MTA to be sure it does


More information about the dmarc-discuss mailing list