Koozali.org: home of the SME Server

dmarc report issue - help needed to understand

Offline SchulzStefan

  • *
  • 620
  • +0/-0
dmarc report issue - help needed to understand
« on: February 29, 2020, 11:10:04 AM »
Dear all,

I'm running an SME 9.2 up-to-date. I configured email following this how-to: https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96

Another SME 9.2 (also up-to-date) in another location with a different domain, gives a dmarc report, I don't understand:

---
This is a DMARC aggregate report for ivbonline.de

1 records.
0 passed.
1 failed.
---

Uploading the report to https://us.dmarcian.com/xml-to-human-converter/ shows:

DMARC Compliance: 0%  (SPF: 0%, DKIM: 0%)

DKIM DMARC fail
SPF DMARC fail


ivbonline.de is configured as followed:

#config show qpsmtpd
qpsmtpd=service
    BadCountries=A1,AC,AD,AE,AF,AG,AI,AL,AM...
    Bcc=enabled
    BccMode=bcc
    BccUser=maillog
    DKIMSigning=enabled
    DMARCReject=enabled
    DMARCReporting=enabled
    DNSBL=enabled
    GeoIP=enabled
    Karma=enabled
    KarmaNegative=3
    KarmaStrikes=3
    LogLevel=6
    MaxScannerSize=250000000
    RBLList=zen.spamhaus.org,bl.spamcop.net,dnsbl-1.uceprotect.net
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,rhsbl.sorbs.net,dbl.spamhaus.org,black.uribl.com
    SPFRejectPolicy=1
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=enabled
    access=public
    qplogsumm=disabled
    status=enabled

# qpsmtpd-print-dns

Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)


default._domainkey IN TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCA... t=y"
@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@ivbonline.de; pct=100"

The TXT records of the ISP are configured as followed:

v=spf1 ip4:87.140.117.154 -all (static IP for ivbonline.de)

v=DMARC1; p=quarantine; adkim=s; aspf=r; rua=mailto:dmarc-feedback@ivbonline.de; pct=100

v=DKIM1;=MIIBIjANBgkqhkiG9w0BAQEFAA...

Running the domain or an email from the domain against tools like mxtoolbox, dmarcian spf check, mail-tester, kitterman, etc. is giving no error.

At this point I've no idea what's wrong. Any help would be greatly appreciated.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: dmarc report issue - help needed to understand
« Reply #1 on: February 29, 2020, 03:55:09 PM »
I forgot to mention, that both domains/servers are mutual whitelisted.

Could the whitelisting cause the error, because the check is bypassed?
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: dmarc report issue - help needed to understand
« Reply #2 on: February 29, 2020, 05:29:52 PM »
No matter which test tool I use to check email, dkim, spf or dmarc, no error is reported. In case of mail-tester.com the result is a 10/10.

I removed the mutual whitelisting on both servers and will report later. I have no other idea.
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: dmarc report issue - help needed to understand
« Reply #3 on: March 06, 2020, 11:09:06 AM »
It seems whitelisting skips all tests. One have to be careful with whitelisting...
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: dmarc report issue - help needed to understand
« Reply #4 on: March 06, 2020, 11:57:37 AM »
I configured the TXT dmarc policy for the domain ivbonline.de as followed:

v=DMARC1; p=quarantine; rua=mailto:dmarc-feedback@ivbonline.de; ruf=mailto:dmarc-feedback@ivbonline.de; pct=100; adkim=s; aspf=r

and the spf:

v=spf1 a mx a:saturn.ivbonline.de ip4:87.140.117.154 -all

In my understanding this configuration tells any email recipients to accept email only from saturn.ivbonline.de and the static ip 87.140.117.154. In case anything is wrong, the recipient is advised to quarantine the email. Am I right?

In case I want to configure dmarc rejecting emails for my email server, i.e.

#db configuration setprop qpsmtpd DMARCReject enabled SPFRejectPolicy 2

How about emails which don't follow dmarc (dkim, spf)? Are they rejected? Quarantine? Tagged as spam? Will they be lost?

I don't understand the logic/mechanism. (In Germany) We have a lot of email traffic where dmarc is unconfigured. What sense does it make to check (and reject) those emails for dmarc, dkim and spf? Am I assuming right that the idea of dmarc needs to be configured on both ends of email? Sending and receiving?

I know that Google, Yahoo, Microsoft, Facebook, AOL, PayPal und LinkedIn and others are using dmarc. As far as I see in (Germany) most of the b2b-world has not implemented dmarc. I guess at least 80%. Emails from/to Google, Yahoo, Microsoft, Facebook, AOL, PayPal und LinkedIn are in b2b (at least for the companies I know) not important.

I'd really appreciate any comment from the email specialists in the forum to my thoughts.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: dmarc report issue - help needed to understand
« Reply #5 on: March 06, 2020, 02:29:02 PM »
It seems whitelisting skips all tests. One have to be careful with whitelisting...

That's the point of a whitelist... it skips checks :-)

It is blunt and ugly, but sometimes necessary.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: dmarc report issue - help needed to understand
« Reply #6 on: March 06, 2020, 02:50:11 PM »
I know that Google, Yahoo, Microsoft, Facebook, AOL, PayPal und LinkedIn and others are using dmarc. As far as I see in (Germany) most of the b2b-world has not implemented dmarc. I guess at least 80%. Emails from/to Google, Yahoo, Microsoft, Facebook, AOL, PayPal und LinkedIn are in b2b (at least for the companies I know) not important.

I'd really appreciate any comment from the email specialists in the forum to my thoughts.

I'm no specialist.. :-)

Regrettably email is a convoluted mess as you can see. Mainly broken by spammers.... over 50% or more of all mail being junk.

So that means half the worlds mail servers are JUST handling junk. What a ridiculous waste of time and energy.

The big players you mention believe that you should just connect to their service using an encrypted connection and do everything via their own internal systems. They don't want you playing with your own servers etc. and 'worrying' about encryption etc. Fine if you trust them.....

And you haven't even got to email encryption.... your email is only as secure as the servers it may pass through en route - there is no guarantee of encryption (see other posts in the foros on this). So the ONLY certain way is to actually encrypt each mail, which isn't so easy.

And that is why instant messaging/chat is taking over. There are obviously lots of competing standards about but they will align in time, or via federation (whereby say Whatsapp can talk to Signal can talk to Matrix etc)

They are better at attachments (remember attachments are a flakey add on to email), usually secure out of the box, usually 'instant', read receipts, and a load of other toys bells and whistles.

Email will go the way of the fax machine, and the dodo :-)

Anyways, I'd probably peruse this a bit:

https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC

You need to test and see first. And then decide accordingly.

I think you can use 0, 1, 2, and 3 - I think they will only reject if the policy dictates.


Anyway, if you want to come and talk to us then just ask me for a Rocket.Chat account where a few of us hang out.


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: dmarc report issue - help needed to understand
« Reply #7 on: March 06, 2020, 03:15:56 PM »
ReetP,

thank you very much for your time and jumping in.

Quote
https://wiki.contribs.org/Email#Inbound_DKIM_.2F_SPF_.2F_DMARC

You need to test and see first. And then decide accordingly.

I think you can use 0, 1, 2, and 3 - I think they will only reject if the policy dictates.

I read this already (and for a few days I tested to reject with the setting "1").

From the wiki:

SPFRejectPolicy (0|1|2|3|4): Default value is 0. Set the policy to apply in case of SPF failure when the sender hasn't published a DMARC policy.
Note: this is only used when no DMARC policy is published by the sender.
If there's a DMARC policy, even a "p=none" one (meaning no reject), then the email won't be rejected, even on failed SPF tests.

What does that mean exactly? Do I have to choose SPFRejectPolicy 0 if I don't want to loose emails in case the sender hasn't publish a DMARC policy? Or can I safely choose another value and won't loose emails even from senders, who didn't publish a DMARC and/or SPF policy? On the other hand - if a DMARC policy is definded, what sense does it make to define a wrong SPF policy? Really, I don't get it...

As you wrote "I think they will only reject if the policy dictates".

Is anybody out there who knows for sure?
« Last Edit: March 06, 2020, 03:24:58 PM by SchulzStefan »
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: dmarc report issue - help needed to understand
« Reply #8 on: March 06, 2020, 03:17:52 PM »
But as you wrote "I think they will only reject if the policy dictates". How about those without any policy? Will they be rejected or not? I mean that's the point (at least for me). I can't afford loosing emails from customers.

Is anybody out there who knows for sure?

4: reject when an error occurred (like a syntax error in SPF entry) or if no SPF entry is published

So ONLY level 4 will reject on error.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: dmarc report issue - help needed to understand
« Reply #9 on: March 06, 2020, 05:58:41 PM »
Thank you for clarification.

I'll change my config to

#db configuration setprop qpsmtpd DMARCReject enabled SPFRejectPolicy 1

We'll see what's happen.

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)