DMARC fail on Valid mails + Quarantined mails being put in hold queue

ravenstar68 · December 21, 2019, 8:35am

Hi

Due to a change in the DMARC policy for virginmedia.co.uk from p=none to p=quarantine, I’ve come across 2 significant issues.

Mail showing a DMARC fail in the headers, when in fact it should be showing a DMARC pass.

This mail is validated by SPF only, but there is no forwarding involved - it comes direct to my server. In fact if I change where the mail is sent to my Gmail address. The same mails clearly show a DMARC and SPF pass.

Quarantined mails being held in the postfix hold queue rather than being placed in spam.

Whilst looking into the fact that mails had actually started failing DMARC for other reasons, I realised that I was missing mail for quite a few weeks. On investigation I found that these were triggering the postfix hold milter

Dec 21 07:48:34 box postfix/cleanup[8709]: E835F2166C: milter-hold: END-OF-MESSAGE from outbound-dkim.eu.khoros-mail.com[34.246.32.154]: milter triggers HOLD action; from=<VirginMediaCommunitySupport@virginmedia.co.uk> to=<myaddress@ravenstar68.co.uk> proto=ESMTP helo=<outbound-dkim.eu.khoros-mail.com>

At a guess it looks as if the SPF check is being applied to the HELO identity rather than the mail from: identity.

Tim

openletter · December 21, 2019, 1:39pm

Well, my first thought for the DMARC fail is an alignment issue, but that requires seeing the full email headers. I have yet to see DMARC fail when it should pass, but anything is possible.

As for the hold, can you post the other log entries related to it?

ravenstar68 · December 21, 2019, 7:21pm

Good thought, and you’re correct, that it is most likely an alignment issue but not the way you think

Return-Path: <VirginMediaCommunitySupport@virginmedia.co.uk>
Delivered-To: me@ravenstar68.co.uk
Received: from box.timothydutton.co.uk ([127.0.0.1])
    by box.timothydutton.co.uk with LMTP id SCp+KOTO/V0oEgAAqnml9w
    for <me@ravenstar68.co.uk>; Sat, 21 Dec 2019 07:51:00 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
    box.timothydutton.co.uk
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,SPF_HELO_NONE
    autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Report:
    * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
    * 0.0 HTML_MESSAGE BODY: HTML included in message
X-Spam-Score: 0.0
Received: from outbound-dkim.eu.khoros-mail.com (outbound-dkim.eu.khoros-mail.com [34.246.32.154])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by box.timothydutton.co.uk (Postfix) with ESMTPS id E835F2166C
    for <me@ravenstar68.co.uk>; Sat, 21 Dec 2019 07:48:32 +0000 (GMT)
Authentication-Results: box.timothydutton.co.uk; dmarc=fail (p=quarantine dis=quarantine) header.from=virginmedia.co.uk
Received: from lia-app-c19-5.prod.lia.euw1.lithcloud.com (unknown [10.250.20.1])
    by outbound-dkim.eu.khoros-mail.com (Postfix) with ESMTP id 0AC53C0008
    for <me@ravenstar68.co.uk>; Sat, 21 Dec 2019 07:48:32 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 outbound-dkim.eu.khoros-mail.com 0AC53C0008
Date: Sat, 21 Dec 2019 08:48:31 +0100 (CET)
From: Virgin Media Community Support <VirginMediaCommunitySupport@virginmedia.co.uk>
To: me@ravenstar68.co.uk
Message-ID: <881239677.527.1576914512047.JavaMail.lithium@lia-app-c19-

Checking the SPF record for the mail from: identity with Kitterman’s SPF tool

Input accepted, querying now...


Mail sent from this IP address: 34.246.32.154
Mail from (Sender): VirginMediaCommunitySupport@virginmedia.co.uk

Results - PASS sender SPF authorized


Mail sent from this IP address: 34.246.32.154
Mail Server HELO/EHLO identity: outbound-dkim.eu.khoros-mail.com

HELO/EHLO Results - none

Here’s the full log entries:

Dec 21 07:48:33 box postfix/smtpd[8706]: E835F2166C: client=outbound-dkim.eu.khoros-mail.com[34.246.32.154]
Dec 21 07:48:33 box postfix/cleanup[8709]: E835F2166C: message-id=<881239677.527.1576914512047.JavaMail.lithium@lia-app-c19-5.prod.lia.euw1.lithcloud.com>
Dec 21 07:48:34 box opendmarc[754]: E835F2166C: virginmedia.co.uk fail
Dec 21 07:48:34 box postfix/cleanup[8709]: E835F2166C: milter-hold: END-OF-MESSAGE from outbound-dkim.eu.khoros-mail.com[34.246.32.154]: milter triggers HOLD action; from=<VirginMediaCommunitySupport@virginmedia.co.uk> to=<raven@ravenstar68.co.uk> proto=ESMTP helo=<outbound-dkim.eu.khoros-mail.com>
Dec 21 07:51:00 box postfix/qmgr[87935]: E835F2166C: from=<VirginMediaCommunitySupport@virginmedia.co.uk>, size=3692, nrcpt=1 (queue active)
Dec 21 07:51:03 box postfix/lmtp[9490]: E835F2166C: to=<me@ravenstar68.co.uk>, relay=127.0.0.1[127.0.0.1]:10025, delay=150, delays=148/0.01/0.01/2.6, dsn=2.0.0, status=sent (250 2.0.0 <me@ravenstar68.co.uk> SCp+KOTO/V0oEgAAqnml9w Saved)
Dec 21 07:51:03 box postfix/qmgr[87935]: E835F2166C: removed

Edit - What’s odd that if I copy the source to a file on the VPS and test the file - I seem to get a DMARC pass

root@box:/home# opendmarc -v -t mailtest
opendmarc: mailtest: mlfi_eom() returned SMFIS_ACCEPT

Tim