SPF macros are seemingly not expanded - opendmarc prob?

Hi mailinabox forum,

I have had a search about and I cannot find anything directly relating to the issue that I am having, but I seem to be having problems with mail from valid domains being tagged as spam and thus quarantined. On closer inspection is seems that opendmarc is flagging these particular messages with SPF fail, and and closer inspection still this appears to affect domains that use SPF macros. For example a domain that has the likes of:

include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email

When testing “ordinary” domains with regular SPF information, all tests are good.

To give some history on this, this seems to be happening on all three of the mail servers I maintain using this very helpful put together stack, although I should point I have some “minor modifications” which I totally understand are not supported. I am still running 53a on Ubuntu 18.04LTS , I have not yet plunged into deploying the 6x version on 22.04 as of yet…

Any tips from the community on debugging opendmarc? From the looks of it when I did a packet dump looking for DNS, I can see the DNS lookups for the main SPF lookup taking place, but no attempt to parse this and then perform lookup the likes of

IN TXT 1.2.3.4._ip.ehlo.domain.com._ehlo.domain.com._spf.vali.email

Does anyone know if this is simply not support in opendmarc? As I said not a lot of results came with my googling, and I haven’t asked chatGPT yet ha.

Tips and pointers would be greatly appreciated, but please be gentle in replies to my acknowledged “modified” mailinabox setup. I would like to add that I have tested a vanilla install as well, but the same results, opendmarc doesn’t seem to want to play nicely with macros.

Cheers
Chris

Ok, so I have no experience whatsoever with this, but:

  • This states that macros are supported.
  • There have been some updates to opendmarc and libspf2 in Ubuntu between 18.04 and 22.04, so perhaps you’re hitting an issue that has already been solved.

Sorry, no real help here.

Thanks, that is helpful, believe it or not I landed on that as well. Checking the libs referenced though, the current ver does bear libspf2, whether or not that has some addtiional patching I was unable to determine, it sounds like i do need to plunge into 22.04 with the latest version to see what my mileage is like.

Changelog for libspf2 can be found here. There has been no upstream release for years.
Changelog for opendmarc for the Ubuntu packaging is also there. But in the meantime upstream has released several versions from 1.3.something to 1.4.2. The upstream changelog is not included in the Ubuntu packaging changelog.

So I took the plunge and made a new Ubuntu 22.04 box, restored my data to it, running a health 61.1 mailinabox on it.

This box is unmodified its literally out of the box. All systems seems to be working absolutely fine, but testing SPF macros still seems to be causing SPF fail and subsequent delivery to spam folder…

I’ve verified from this site SPF Policy Tester - ORF using a domain that I have very carefully setup a SPF macro’d record, and the subsequent child record, and if I carefully test this under the advanced tab my sender address, EHLO hostname of the server and the sending IP, it reckons all is good.

When I do a real world test across the Internet to my new 61.1 mailinabox, I can see the same as before. DNS lookup for the TXT record for the domain being performed with the macro’d reply, but nothing else and then a hard fail. Its like the macros are not even being looked at, parsed to then invoke a secondary DNS lookup which is what I would expect.

I need to get debuggy with opendmarc, but I’m a bit stuck… has really nobody had this problem before?

Hello again everyone, thought I would update on this with my solution. Not getting anywhere with opendmarc, just flatly refuses to expand SPF macros, so what I have done is:

a) install postifx-policyd-spf-python

sudo apt install postfix-policyd-spf-python

b) unconfigure the HELO_reject and Mail_From_reject in /etc/postfix-policyd-spf-python/policyd-spf.conf

HELO_reject = False
Mail_From_reject = False

b) added the following stanza to /etc/postfix/master.cf

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

c) added a new smtpd_recipient_restrictions entry as follows in /etc/postfix/main.cf

check_policy_service unix:private/policyd-spf

d) reloaded postfix

systemctl reload postfix

e) updated the conf for opendmarc so that it does NOT ignore SPF header references and does NOT do its own lookups in /etc/opendmarc.conf

SPFIgnoreResults false
SPFSelfValidate false

and restarted opendmarc

systemctl reload opendmarc

Now when I receive a message from a domain with macros in the SPF record for that domain, these are now parsed and policyd-spf adds a header to the email. Opendmarc reads that header and performs the appropiate dmarc pass/fail response.

example header with opendmarc from a macro’d domain

Authentication-Results: box.mymail dmarc=pass (p=reject dis=none) header.from=example.com
Authentication-Results: box.mymail; spf=fail smtp.mailfrom=joe.bloggs@example.com
Authentication-Results: box.mymail;
	dkim=pass (2048-bit key; unprotected) header.d=example.com header.i=@example.com header.b="cLcDisFT";
	dkim=pass (2048-bit key; unprotected) header.d=example.com header.i=@example.com header.b="gE+RpYGP";
	dkim-atps=neutral

and an example with it working using policyd

Authentication-Results: box.mymail; dmarc=pass (p=reject dis=none) header.from=example.com
Authentication-Results: box.mymail;
	dkim=pass (2048-bit key; unprotected) header.d=example.com header.i=@example.com header.a=rsa-sha256 header.s=ess25052020 header.b=cLcDisFT;
	dkim=pass (2048-bit key; unprotected) header.d=example.com header.i=@example.com header.a=rsa-sha256 header.s=selector1 header.b=gE+RpYGP;
	dkim-atps=neutral
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=3.4.5.6; helo=remote.example.com; envelope-from=joe.bloggs@example.com; receiver=<UNKNOWN> 
1 Like