forum emails fail DMARC validation

Here you can provide suggestions on how to improve the product, website, etc.
Post Reply
virtualhuman
Posts: 53
Joined: 22. Jan 2013, 22:11

forum emails fail DMARC validation

Post by virtualhuman »

I noticed that the forum emails fail to reach me, because they fail DMARC validation:

opendmarc fails with:

Code: Select all

opendmarc[607]: 325614123C: SPF(mailfrom): virtualbox.org none
opendmarc[607]: 325614123C: virtualbox.org fail
and even if the email reaches spamassassin, it fails there as well:

Code: Select all

spamd: result: Y 48 - AUTHRES_DMARC_FAIL,SPF_HELO_NONE,SPF_NONE
These days having valid SPF+DMARC+DKIM is quite important, maybe someone could tell the owners of the forum server to take a look at the issue?

Thank you.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: forum emails fail DMARC validation

Post by scottgus1 »

I'll pass this on to the admins. There are some folks who say they're unable to get forum emails, this could be it.
klaus
Oracle Corporation
Posts: 1115
Joined: 10. May 2007, 14:57

Re: forum emails fail DMARC validation

Post by klaus »

This is a known issue, and will hopefully be resolved in some months as part of an overall service migration. Can't predict at the moment exactly when it will be done.

I can't see any IETF standard which requires DMARC (or SPF), so anyone declaring mails as spam just because these are missing is doing this based on their personal decision.

On my personal email server I believe I'm using a vanilla spamassassin config (current version, using the Debian package which usually doesn't wildly change defaults), and for email sent by virtualbox.org I don't see AUTHRES_DMARC_FAIL,SPF_HELO_NONE,SPF_NONE, and the mail isn't flagged as spam.
virtualhuman
Posts: 53
Joined: 22. Jan 2013, 22:11

Re: forum emails fail DMARC validation

Post by virtualhuman »

But, the domain virtualbox.org has a DMARC record (with p=none), so someone put it there...

With p=none, it gives the receiver of the domain the option to choose if an email will be rejected on DMARC fail, thus my email server will definitely reject virtualbox.org emails due to this failure. I suppose others have a similar setup.

Here is the template of my postfix configuration

And here is the template of my spamassassin configuration

I also know that gmail and hotmail have started placing such emails to the spam folder, but I don't know if they reject them entirely, this needs further investigation.
scottgus1
Site Moderator
Posts: 20965
Joined: 30. Dec 2009, 20:14
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Windows, Linux

Re: forum emails fail DMARC validation

Post by scottgus1 »

virtualhuman wrote:gmail and hotmail have started placing such emails to the spam folder
I use a Gmail account for the forum and suddenly got all forum emails going to spam, too, some few months ago. Had to turn off the spam filter...
klaus
Oracle Corporation
Posts: 1115
Joined: 10. May 2007, 14:57

Re: forum emails fail DMARC validation

Post by klaus »

Whoa... so something actually changed in DNS since I last checked. The DMARC entry creation apparently was done without any sanity checking, because there's no SPF entry (which is a prerequisite), and the outgoing mail server doesn't sign the messages.

I don't really have time for this right now, but I can see now that I have to...
virtualhuman
Posts: 53
Joined: 22. Jan 2013, 22:11

Re: forum emails fail DMARC validation

Post by virtualhuman »

scottgus1 wrote:
virtualhuman wrote:gmail and hotmail have started placing such emails to the spam folder
I use a Gmail account for the forum and suddenly got all forum emails going to spam, too, some few months ago. Had to turn off the spam filter...
gmail has made several changes, for example, in the past it was possible to have duplicate headers (even though they are not allowed by the RFC spec) gmail was a bit soft on those requirements. After a recent change, emails with duplicate headers are completely rejected.

I really like SPF, it makes my life a lot better... I see thousands of fake @fedex.com emails, all failing SPF at the smtp level. SPF is awesome that way :)
klaus
Oracle Corporation
Posts: 1115
Joined: 10. May 2007, 14:57

Re: forum emails fail DMARC validation

Post by klaus »

At last... after a lot of detours (the prep work wasn't that bad, other things were in the way) virtualbox.org has both an SPF and DMARC record, with the DMARC one enforcing signed messages (they've been all signed since sometime last year already). The first DNS change was on Friday (and unfortunately ended with syntactically incorrect SPF and DMARC entries), and the follow-up one about 24 hours ago resolved this for good I hope.
virtualhuman
Posts: 53
Joined: 22. Jan 2013, 22:11

Re: forum emails fail DMARC validation

Post by virtualhuman »

This is the very first time I actually received an email from this forum:

Code: Select all

dmarc=pass (p=reject dis=none) header.from=virtualbox.org
spf=pass smtp.mailfrom=virtualbox.org
dkim=pass (2048-bit key, unprotected) header.d=virtualbox.org header.i=@virtualbox.org header.a=rsa-sha256 header.s=virtualbox-2022-09 header.b=XY2qRVej
Post Reply