OpenDMARC settings / blacklist?

I’ve encountered a few mail servers with seemingly incorrect dmarc settings and I’m wondering if there’s a way to blacklist them so the dmarc response messages are skipped.

Most recently, I encountered this sequence:

  • I received a message from a mail server
  • DMARC sent a failure notice to that server
  • The response address doesn’t exist so the server sent an error message back to my server
  • That message also failed DMARC so another message was sent to their invalid address
  • and repeat

Fortunately the cycle is broken by something after 30 or so messages.

In another case I had to unsubscribe from an email list because every message I received was triggering a DMARC failure, which they interpreted as spam and I then had to jump through hoops with Microsoft to get my IP unblocked.

I’d even be fine with just turning off all outgoing DMARC responses. That might not be ideal for being a good email citizen, but it’d be an option.

Any suggestions?

Thanks for your help.

This is interesting, because DMARC messages are only sent when there is a DMARC record with an address configured. Literally, the domain owner is requesting you to send an email.

I would send an email to the address listed in the domain’s SOA record.

The list needs to update what they are doing to send messages, because there are probably a lot of people who don’t receive messages from domains that have p=reject configured since the large mail providers do not allow those messages through.

Right now you are experiencing problems related to how others are interpreting a standard, not MiaB specifically.

The settings are configured in /etc/opendmarc.conf and changes to that file will be commented out and default settings restored every time you upgrade MiaB to a new version.

Also, if you want to see how it looks to receive messages, set your DMARC record to:

v=DMARC1;  p=quarantine; rua=mailto:username@example.com

You will see Google, Yahoo!, Microsoft, and others sending you reports. So here you will clearly see that MiaB is doing what Microsoft is doing but also blocked you for.

You can also create an alias opendmarc@box.example.net so you can receive messages or replies to the reports MiaB is sending.

Additionally, opendmarc.conf has a setting to configure a BCC for every report it sends out.

Thanks. For now I set FailureReports false. I’ll investigate further to see if there’s a tighter way to control this or some way to better resolve the issue.
Thanks for the tips.

And agreed. It’s “interesting” that they configured the setting to request the emails, but then misconfigured it to fail.

I’ll report back if I find anything enlightening.

How did this go in the end, is there a more permanent / cleaner solution?

I’ve had this issue over and over with a few individual opendmarc messages bouncing back to me.
Today this has kicked off an avalanche of about 10 undelivered messages and failure reports looping back and forth each minute for about 4-5 hours until I saw and stopped it.

I fully agree it’s not caused by MIAB, it is the other end that’s problematic. I wonder if MIAB could handle poorly configured email hosts better. Any ideas?

Many thanks in advance :slight_smile:

T

PS… sorry for reviving an old post, I’m just really glad someone else has observed the same issue in the past.

I didn’t make any progress past disabling the responses. Unfortunately, it stems like a case where the misbehaving servers are going to win. Ideally they’d be penalized for the misconfiguration, but I don’t see how that works out.
A spam list that validates DMARC addresses?

1 Like