Closed robinbzk closed 6 months ago
mdavids
commented
6 months ago Interesting case. In general this works (see https://internet.nl/mail/www.example.nl/1160309/#mailauth), but in this case it doesn't. Something is confusing the logic, so it seems. Should be investigated further.
apio-sys
commented
6 months ago It's strange to test your mail on your domain including the www host no? If you test like this: https://internet.nl/mail/rijksappstore.nl/1160278/#mailauth it does work...
The DMARC remains in warning though which is normal if dictu.nl does not have a DNS TXT record verifying that they wish to receive DMARC reports for your domain.
robinbzk
commented
6 months ago It's strange to test your mail on your domain including the www host no?
No https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bcp-2022-06.pdf
apio-sys
commented
6 months ago Sorry I misread the initial issue since it should not be applicable. The only difference I see with example.nl where it does work as expected is that that domain has an SPF record without exp modifier and also has a "v=DKIM1; p=" record. Maybe you can test with an SPF record as example.nl just to see if that might be the reason for the DKIM test to fail rather than to dismiss?
apio-sys
commented
6 months ago OK I managed to reproduce this.
Used all params as on example.nl, 100%. Add exp= modifier in SPF, still 100%. Cached result here: https://internet.nl/mail/www.mimetreseaupro.com/1160398/# .
Then added a rua external recipient without that domain having validated it, reproduced here (on seprate server so you can see both cached versions): https://internet.apio.systems/mail/www.mimetreseaupro.com/17/#mailauth .
So the DKIM error is wrong and seems to be triggered by the DMARC warning. @robinbzk can you help solve your DMARC warning and check if this also clears the false positive on DKIM?
apio-sys
commented
6 months ago Addition to yesterday's POC, there seems to be another issue. When I fix my error on DMARC allowing the external domain to be recipient of the DMARC reporting like so (which I think is the correct syntax):
dig -t TXT mimetreseaupro.com._report._dmarc.apio.systems
;; ANSWER SECTION:
mimetreseaupro.com._report._dmarc.apio.systems. 300 IN TXT "v=DMARC1"This is not taken into consideration and the DMARC test remains wrongly in the warning status and the DKIM false positive remains also. So there is 2 issues to fix here I think. Or at the least the DMARC check to fix since the rua is now valid and the DKIM error to show or not depending if DMARC test is successful.
My POC is still in place if you want to test against it. Let me know if I can help further.
bwbroersma
commented
6 months ago See:
The current code needs a valid DMARC to skip the test. I would say this issue is a duplicate.
@robinbzk:
If there is p=reject in the DMARC there is no need for sp=reject (other than being explicit), same goes for the pct=100. So v=DMARC1;p=reject;rua=mailto:dmarc@dictu.nl; is effectively the same policy.
In this case, it's needed that DICTU adds some TXT record (according to the RFC 7489):
rijksappstore.nl._report._dmarc.dictu.nl. IN TXT "v=DMARC1"Update: In earlier versions I had multiple report records, but only one record is needed if there is also only one _dmarc for the domain.
bwbroersma
commented
6 months ago Duplicate of #916.
Somehow Marking duplicates doesn't work like the documentation says.
robinbzk
commented
5 months ago OK I managed to reproduce this.
Used all params as on example.nl, 100%. Add exp= modifier in SPF, still 100%. Cached result here: https://internet.nl/mail/www.mimetreseaupro.com/1160398/# .
Then added a rua external recipient without that domain having validated it, reproduced here (on seprate server so you can see both cached versions): https://internet.apio.systems/mail/www.mimetreseaupro.com/17/#mailauth .
So the DKIM error is wrong and seems to be triggered by the DMARC warning. @robinbzk can you help solve your DMARC warning and check if this also clears the false positive on DKIM?
100% score after adding DMARC authorization record --> https://internet.nl/mail/www.rijksappstore.nl/1175938/#control-panel-11
https://internet.nl/mail/www.rijksappstore.nl/1160230/#mailauth
Here the domain has a DMARC p=reject policy, and a SPF -all, but the latter with an added exp= parameter. The exp= parameter cannot authorise extra mailservers, as such SPF record is simply a -all policy.
Why is DKIM not rendered 'inapplicable'?