DMARC fail on Valid mails + Quarantined mails being put in hold queue


Due to a change in the DMARC policy for from p=none to p=quarantine, I’ve come across 2 significant issues.

Mail showing a DMARC fail in the headers, when in fact it should be showing a DMARC pass.

This mail is validated by SPF only, but there is no forwarding involved - it comes direct to my server. In fact if I change where the mail is sent to my Gmail address. The same mails clearly show a DMARC and SPF pass.

Quarantined mails being held in the postfix hold queue rather than being placed in spam.

Whilst looking into the fact that mails had actually started failing DMARC for other reasons, I realised that I was missing mail for quite a few weeks. On investigation I found that these were triggering the postfix hold milter

Dec 21 07:48:34 box postfix/cleanup[8709]: E835F2166C: milter-hold: END-OF-MESSAGE from[]: milter triggers HOLD action; from=<> to=<> proto=ESMTP helo=<>

At a guess it looks as if the SPF check is being applied to the HELO identity rather than the mail from: identity.


Well, my first thought for the DMARC fail is an alignment issue, but that requires seeing the full email headers. I have yet to see DMARC fail when it should pass, but anything is possible.

As for the hold, can you post the other log entries related to it?

Good thought, and you’re correct, that it is most likely an alignment issue but not the way you think :wink:

Return-Path: <>
Received: from ([])
    by with LMTP id SCp+KOTO/V0oEgAAqnml9w
    for <>; Sat, 21 Dec 2019 07:51:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,SPF_HELO_NONE
    autolearn=ham autolearn_force=no version=3.4.2
    * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
    * 0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Score: 0.0
Received: from ( [])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by (Postfix) with ESMTPS id E835F2166C
    for <>; Sat, 21 Dec 2019 07:48:32 +0000 (GMT)
Authentication-Results:; dmarc=fail (p=quarantine dis=quarantine)
Received: from (unknown [])
    by (Postfix) with ESMTP id 0AC53C0008
    for <>; Sat, 21 Dec 2019 07:48:32 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 0AC53C0008
Date: Sat, 21 Dec 2019 08:48:31 +0100 (CET)
From: Virgin Media Community Support <>
Message-ID: <881239677.527.1576914512047.JavaMail.lithium@lia-app-c19-

Checking the SPF record for the mail from: identity with Kitterman’s SPF tool

Input accepted, querying now...

Mail sent from this IP address:
Mail from (Sender):

Results - PASS sender SPF authorized

Mail sent from this IP address:
Mail Server HELO/EHLO identity:

HELO/EHLO Results - none

Here’s the full log entries:

Dec 21 07:48:33 box postfix/smtpd[8706]: E835F2166C:[]
Dec 21 07:48:33 box postfix/cleanup[8709]: E835F2166C: message-id=<>
Dec 21 07:48:34 box opendmarc[754]: E835F2166C: fail
Dec 21 07:48:34 box postfix/cleanup[8709]: E835F2166C: milter-hold: END-OF-MESSAGE from[]: milter triggers HOLD action; from=<> to=<> proto=ESMTP helo=<>
Dec 21 07:51:00 box postfix/qmgr[87935]: E835F2166C: from=<>, size=3692, nrcpt=1 (queue active)
Dec 21 07:51:03 box postfix/lmtp[9490]: E835F2166C: to=<>, relay=[]:10025, delay=150, delays=148/0.01/0.01/2.6, dsn=2.0.0, status=sent (250 2.0.0 <> SCp+KOTO/V0oEgAAqnml9w Saved)
Dec 21 07:51:03 box postfix/qmgr[87935]: E835F2166C: removed

Edit - What’s odd that if I copy the source to a file on the VPS and test the file - I seem to get a DMARC pass

root@box:/home# opendmarc -v -t mailtest
opendmarc: mailtest: mlfi_eom() returned SMFIS_ACCEPT