search

mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.52k stars 99 forks source link

DMARC reports from some mail servers report failures #176

Closed rdelaage closed 2 months ago

rdelaage commented 3 months ago

It seems to be DKIM related failures. The dkim reports are sent from postmaster@<maildomain> but there is no published DKIM public key in the DNS records generated by mox resulting in a DKIM signature validation fail.

Here is a copy of a DMARC report sent by google

{
    "ID": 7,
    "Domain": "delaage.fr",
    "FromDomain": "google.com",
    "Version": "",
    "ReportMetadata": {
        "OrgName": "google.com",
        "Email": "noreply-dmarc-support@google.com",
        "ExtraContactInfo": "https://support.google.com/a/answer/2466580",
        "ReportID": "11688145333743308772",
        "DateRange": {
            "Begin": 1718150400,
            "End": 1718236799
        },
        "Errors": null
    },
    "PolicyPublished": {
        "Domain": "delaage.fr",
        "ADKIM": "r",
        "ASPF": "r",
        "Policy": "reject",
        "SubdomainPolicy": "reject",
        "Percentage": 100,
        "ReportingOptions": ""
    },
    "Records": [
        {
            "Row": {
                "SourceIP": "2001:1600:13:101::cd7",
                "Count": 2,
                "PolicyEvaluated": {
                    "Disposition": "none",
                    "DKIM": "pass",
                    "SPF": "pass",
                    "Reasons": null
                }
            },
            "Identifiers": {
                "EnvelopeTo": "",
                "EnvelopeFrom": "",
                "HeaderFrom": "mail.delaage.fr"
            },
            "AuthResults": {
                "DKIM": [
                    {
                        "Domain": "mail.delaage.fr",
                        "Selector": "",
                        "Result": "fail",
                        "HumanResult": ""
                    },
                    {
                        "Domain": "delaage.fr",
                        "Selector": "2024b",
                        "Result": "pass",
                        "HumanResult": ""
                    }
                ],
                "SPF": [
                    {
                        "Domain": "mail.delaage.fr",
                        "Scope": "",
                        "Result": "pass"
                    }
                ]
            }
        }
    ]
}
mjl- commented 3 months ago

hi @rdelaage, thanks for the report.

this indeed looks a bit (but only a little!) surprising:

"DKIM": [ { "Domain": "mail.delaage.fr", "Selector": "", "Result": "fail", "HumanResult": "" }, { "Domain": "delaage.fr", "Selector": "2024b", "Result": "pass", "HumanResult": "" }

that is, i'm surprised it the first object mentions "mail.delaage.fr" and the second has "delaage.fr". when mox adds dkim signatures to an outgoing message, it looks up a configured domain for the "message from" address: first the full domain, then removing a subdomain, and so on, until a configured domain is found. the dkim config for that domain is applied. but it should always be a single domain. and unless you have mail.delaage.fr configured as well, it should be delaage.fr.

i'm not surprised about the "Result": "fail". the dmarc reports from google that i'm getting contain this:

"DKIM": [ { "Domain": "ueber.net", "Selector": "", "Result": "fail", "HumanResult": "" }, { "Domain": "ueber.net", "Selector": "2023b", "Result": "pass", "HumanResult": "" } ],

it too has 1 "fail" result. that's expected: mox signs messages with both an ed25519 dkim signature and an rsa dkim signature. but google doesn't implement ed25519. many other mail systems don't either, only a minority does at the moment. it results in various forms of a "dkim fail" in dmarc reports (sometimes they mention the selector, sometimes they have additional text). anyway, it's not actually a problem: a dkim-signature that isn't recognized is not used in evaluations, i.e. doesn't have a negative impact (which is the only reasonable behaviour, for forward compatibility). there is still 1 dkim pass, so all is good!

overall, your dmarc report indicates messages that pass the dmarc check.

at first glance, these reports often make you think something is wrong: you'll see "reject" in "PolicyPublished", but that only indicates that the requested policy for non-dmarc-passing messages is to reject them (which is what we want!). it doesn't say anything about the result of dmarc evaluations. an individual "fail" also doesn't have to be bad: the dmarc check will pass when at least one of spf and dkim checks have an aligned pass. for situations like forwarding it can be normal to have one of them fail.

what really matters is the final dmarc evaluation result, which is this part:

"PolicyEvaluated": { "Disposition": "none",

"none" is the good news: the message wasn't quarantined or rejected. i think it's a bit unfortunate about dmarc reports that this final result doesn't stand out (at least for me) among all the other mentions of "reject" and "fail".

anyway, the question is still why google has seen messages with a dkim-signature for mail.delaage.fr. do/did you have it explicitly configured as domain in mox by any chance?

rdelaage commented 3 months ago

No, mail.delaage.fr is the domain name of my mail server (MX record) but is not in the configured domain. This domain is used in the From header of the DMARC reports sent to Google (I never sent messages to Google expect the automatic DMARC reports, so the rejected DKIM signatures are in the DMARC reports using the postmaster address in the From header)

RobSlgm commented 3 months ago

Same here.

Google

On the host domain the DMARC reports from google.com show mail.example.com in SMTP from and Header from.

A row with my server SourceIP shows DKIM domain mail.example.comwith fail and a domain example.com with pass, SFP is mail.example.com pass. The same report show also a Row with a SourceIP from a Google IP with SPF result *fail, using the very same mail.example.com.

The result is None in all cases.

Enterprise Outlook

From "Enterprise Outlook" DMARC reports to the host domain show with Header and EnvelopeFrom mail.example.com 

"AuthResults": {
                "DKIM": [
                    {
                        "Domain": "",
                        "Selector": "",
                        "Result": "fail",
                        "HumanResult": ""
                    },
                    {
                        "Domain": "example.com",
                        "Selector": "2024b",
                        "Result": "fail",
                        "HumanResult": ""
                    }
                ],
                "SPF": [
                    {
                        "Domain": "mail.example.com",
                        "Scope": "mfrom",
                        "Result": "pass"
                    }
                ]
            }

The behavior isn't consistent, in some reports the DKIM on example.com shows pass.

Amazon SES

And AMAZON-SES is fully happy (DKIM and SPF pass), Envelope/Header From are mail.example.com and DKIM domain example.com

eMail domains

The email domains are all green (Counters for DKIM or SPF fails are zero). The HeaderFrom is example.org, and all DKIM/SPF results refer to example.org. EnvelopeFrom is empty.

Observation

In the admin UI on the page with .../dnscheck the SPF records are show as follows:

Domain TXT record: v=spf1 mx ~all
Host TXT record: v=spf1 a -all

Ensure DNS TXT records like the following exists:

    example.com. TXT "v=spf1 ip6:1111:222:333:444::1 ip4:11.22.33.44 -all"
    mail.example.com. TXT "v=spf1 a -all"

where as on the page with .../dnsrecords this appears:

mail.example.com.               TXT "v=spf1 a -all"
example.com.                    TXT "v=spf1 mx ~all"

The current setup uses the a-record reference. Is there a benefit to explicitly list the IP's? Or why are to different settings shown at all?

mjl- commented 2 months ago

@RobSlgm thanks for reporting that spf1 mismatch. the last commit should now cause the same record to be suggested. always including the configured ip's and keeping "mx" (including the ip prevents further dns lookups for legimate messages which is good for performance, keeping the mx records adds some resilience to future ip changes), and using "~all" (as explained on the dnsrecords page).

i've also received some dmarc reports from google/gmail with a "Domain" set to the hostname. i suspect it is an artefact of them not recognizing the ed25519 algorithm. the overall dkim result is still pass, and the dmarc result is positive too.

i'll close this issue now. feel free to reopen if there's more information or more work to be done.

thanks for reporting and providing details!