SPF macros are seemingly not expanded - opendmarc prob?

Help with Unusual Circumstances
#1

Hi mailinabox forum,

I have had a search about and I cannot find anything directly relating to the issue that I am having, but I seem to be having problems with mail from valid domains being tagged as spam and thus quarantined. On closer inspection is seems that opendmarc is flagging these particular messages with SPF fail, and and closer inspection still this appears to affect domains that use SPF macros. For example a domain that has the likes of:

include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email

When testing “ordinary” domains with regular SPF information, all tests are good.

To give some history on this, this seems to be happening on all three of the mail servers I maintain using this very helpful put together stack, although I should point I have some “minor modifications” which I totally understand are not supported. I am still running 53a on Ubuntu 18.04LTS , I have not yet plunged into deploying the 6x version on 22.04 as of yet…

Any tips from the community on debugging opendmarc? From the looks of it when I did a packet dump looking for DNS, I can see the DNS lookups for the main SPF lookup taking place, but no attempt to parse this and then perform lookup the likes of

IN TXT 1.2.3.4._ip.ehlo.domain.com._ehlo.domain.com._spf.vali.email

Does anyone know if this is simply not support in opendmarc? As I said not a lot of results came with my googling, and I haven’t asked chatGPT yet ha.

Tips and pointers would be greatly appreciated, but please be gentle in replies to my acknowledged “modified” mailinabox setup. I would like to add that I have tested a vanilla install as well, but the same results, opendmarc doesn’t seem to want to play nicely with macros.

Cheers
Chris

#2

Ok, so I have no experience whatsoever with this, but:

  • This states that macros are supported.
  • There have been some updates to opendmarc and libspf2 in Ubuntu between 18.04 and 22.04, so perhaps you’re hitting an issue that has already been solved.

Sorry, no real help here.

#3

Thanks, that is helpful, believe it or not I landed on that as well. Checking the libs referenced though, the current ver does bear libspf2, whether or not that has some addtiional patching I was unable to determine, it sounds like i do need to plunge into 22.04 with the latest version to see what my mileage is like.

#4

Changelog for libspf2 can be found here. There has been no upstream release for years.
Changelog for opendmarc for the Ubuntu packaging is also there. But in the meantime upstream has released several versions from 1.3.something to 1.4.2. The upstream changelog is not included in the Ubuntu packaging changelog.

#5

So I took the plunge and made a new Ubuntu 22.04 box, restored my data to it, running a health 61.1 mailinabox on it.

This box is unmodified its literally out of the box. All systems seems to be working absolutely fine, but testing SPF macros still seems to be causing SPF fail and subsequent delivery to spam folder…

I’ve verified from this site SPF Policy Tester - ORF using a domain that I have very carefully setup a SPF macro’d record, and the subsequent child record, and if I carefully test this under the advanced tab my sender address, EHLO hostname of the server and the sending IP, it reckons all is good.

When I do a real world test across the Internet to my new 61.1 mailinabox, I can see the same as before. DNS lookup for the TXT record for the domain being performed with the macro’d reply, but nothing else and then a hard fail. Its like the macros are not even being looked at, parsed to then invoke a secondary DNS lookup which is what I would expect.

I need to get debuggy with opendmarc, but I’m a bit stuck… has really nobody had this problem before?