Feature Request: Simple human readable failure reason header

[thegushi]

Hey there. Submitting this per a conversation with Murray.

When I look at my dmarc authentication results, I'll see something like:

User-Agent: OpenDMARC-Filter/1.3.2
Auth-Failure: dmarc
Authentication-Results: prime.gushi.org; dmarc=fail header.from=gmail.com

What's missing there is the ability to usefully know what portion of authentication failed. Did SPF? Did DKIM? Did both?

Since I don't have the ability to compute DKIM signatures in my head, a message like "Mail was sent with an envelope of gmail.com but was not DKIM signed" or "Mail was DKIM signed with key selector.domain.com but the signature was invalid", or "DKIM was valid, but SPF failed".

I would enumerate more, but I don't know the full set of failure modes. I don't imagine there are more then a dozen.

[celesteking]

in this case they failed both because they were supposed to be present in Authentication-Results, AFAIK. Unless you've asked opendmarc to do the spf resolution itself.

But I agree that it doesn't show the reason why it actually failed, it logs them in cryptic non-human readable format and that is bad. It should've logged everything, starting from auth header analysis to dns lookups and config parsing.

[thegushi]

In this particular case, yes I had asked opendmarc to do the SPF validation myself.

It might also make sense to have opendmarc add a separate authentication-results header for the output of SPF validation so that later Tools that see the message can handle it. (Or perhaps, be able to run a second copy of the Daemon just to validate SPF)

[falon]

Please, I also would suggest to see #79 OpenDMARC headers could be used by other softwares, such as Spamassassin, in order to manage the email disposition. If Rejectfailures=false, currently the headers miss the information about the disposition of the mail.