Mailing List Archive

On Mon, 2022-05-09 at 14:35 -0400, Alex wrote:
> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC
> when mxlookup?says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> ?* ?1.8 DMARC_REJECT DMARC reject policy
> ?* ?6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
> ?* ? ? ?and the domain has a DMARC reject policy
>
> It also passes SPF and DKIM
>
> ?* ?0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> ?* -0.0 SPF_PASS SPF: sender matches SPF record
> ?* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
> ?* ? ? ? domain
> ?* -0.1 DKIM_VALID Message has at least one valid DKIM or DK
> signature
> ?* ?0.1 DKIM_SIGNED Message has a DKIM or DK signature, not
> necessarily
> ?* ? ? ?valid
>
> I'm using a local DNS resolver, not a public server.
>

I'm pretty sure it can't pass SPF for the purposes of satisfying
DMARC with a null envelope sender.

Dunno why the DKIM didn't pass. Can you tell if the
d=ess.firstdata.com signature is valid or only the amazonses.com sig
(which wouldn't satisfy DMARC)?

On 2022-05-09 20:35, Alex wrote:
> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC when
> mxlookup says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
> * and the domain has a DMARC reject policy

you have askDNS plugin loaded to get this hits, its not really checking
dmarc via Mail::DMARC

asuming you are not using spamassassin 4.x.x yet

dmarc plugin from spamassassin trunk is working with stable spamassassin
atleast with 3.4.6

On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com> wrote:


> I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine.
> https://pastebin.com/0T4Gjn3v
>

> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
> * and the domain has a DMARC reject policy
>

> It also passes SPF and DKIM

As far as I understand, for DMARC to be valid, the enveloppe sender address and the header From needs to have the same domain. There are possibilities to allow or restrict subdomains. So if the domains are different (amazonses.com != firstdata.com), DMARC can't be valid. Regardless of what's written in the DMARC record, or if SPF and/or SPF are valid.

Best,
Laurent

On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
is rumored to have said:

> On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com> wrote:
>
>
>> I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine.
>> https://pastebin.com/0T4Gjn3v
>>
>
>> * 1.8 DMARC_REJECT DMARC reject policy
>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>> * and the domain has a DMARC reject policy
>>
>
>> It also passes SPF and DKIM
>
> As far as I understand, for DMARC to be valid, the enveloppe sender address and the header From needs to have the same domain.

Not so.

One of SPF (using the domain of the envelope sender) or DKIM (using the domain of the signature) must validate AND the domain used in the validation must match the domain of the author identified by the From header.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2022-05-09 at 14:35:58 UTC-0400 (Mon, 9 May 2022 14:35:58 -0400)
Alex <mysqlstudent@gmail.com>
is rumored to have said:

> Hi,
>
> I'm trying to understand why this email from a bank fails DMARC when
> mxlookup says the DMARC record is just fine.
>
> https://pastebin.com/0T4Gjn3v
>
> * 1.8 DMARC_REJECT DMARC reject policy
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
> * and the domain has a DMARC reject policy
>
> It also passes SPF and DKIM
>
> * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
> * -0.0 SPF_PASS SPF: sender matches SPF record
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
> * domain
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
>
> I'm using a local DNS resolver, not a public server.

Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

>> On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com> wrote:
>>> I'm trying to understand why this email from a bank fails DMARC when mxlookup says the DMARC record is just fine.
>>> https://pastebin.com/0T4Gjn3v
>>>
>>
>>> * 1.8 DMARC_REJECT DMARC reject policy
>>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>>> * and the domain has a DMARC reject policy
>>>
>>
>>> It also passes SPF and DKIM

>On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
>Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
>is rumored to have said:
>> As far as I understand, for DMARC to be valid, the enveloppe sender
>> address and the header From needs to have the same domain.

On 10.05.22 13:53, Bill Cole wrote:
>Not so.
>
>One of SPF (using the domain of the envelope sender) or DKIM (using the
> domain of the signature) must validate AND the domain used in the
> validation must match the domain of the author identified by the From
> header.

correct, however:

From: noreply@ess.firstdata.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
t=1652117979;
h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
Authentication-Results: mail03.example.com (amavisd-new);
dkim=pass (1024-bit key) header.d=ess.firstdata.com
header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
header.b="dwNxlXrW"

so the mail looks to be DMARC valid, while SA produces:

* 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer

On 2022-05-10 20:39, Matus UHLAR - fantomas wrote:
>>> On Monday, May 9th, 2022 at 20:35, Alex <mysqlstudent@gmail.com>
>>> wrote:
>>>> I'm trying to understand why this email from a bank fails DMARC when
>>>> mxlookup says the DMARC record is just fine.
>>>> https://pastebin.com/0T4Gjn3v
>>>>
>>>
>>>> * 1.8 DMARC_REJECT DMARC reject policy
>>>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
>>>> message
>>>> * and the domain has a DMARC reject policy
>>>>
>>>
>>>> It also passes SPF and DKIM
>
>> On 2022-05-09 at 17:28:59 UTC-0400 (Mon, 09 May 2022 21:28:59 +0000)
>> Laurent S. <110ef9e3086d8405c2929e34be5b4340@protonmail.ch>
>> is rumored to have said:
>>> As far as I understand, for DMARC to be valid, the enveloppe sender
>>> address and the header From needs to have the same domain.
>
> On 10.05.22 13:53, Bill Cole wrote:
>> Not so.
>>
>> One of SPF (using the domain of the envelope sender) or DKIM (using
>> the domain of the signature) must validate AND the domain used in the
>> validation must match the domain of the author identified by the From
>> header.
>
> correct, however:
>
> From: noreply@ess.firstdata.com
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
> s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
> t=1652117979;
> h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
> bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
> b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
> XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
> h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
> Authentication-Results: mail03.example.com (amavisd-new);
> dkim=pass (1024-bit key) header.d=ess.firstdata.com
> header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
> header.b="dwNxlXrW"
>
> so the mail looks to be DMARC valid, while SA produces:
>
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
> message
> * and the domain has a DMARC reject policy

dkim=pass (1024-bit key) header.d=amazonses.com
header.b="dwNxlXrW"

this does not pass, why do amazonses add dkim :(

when multiple dkim signers is added all must pass for dmarc pass, i
belive this is the kam fails ?

when amazonses drops dkim signing on forwared mails it begins to be
stable, what amazonses should do here is to arc seal and arc sign, but
this must be done before breaking dkim when forwarding

we still wait for spamassassin 4.0.0

note to pmc members is that dmarc plugin do work with spamassassin
3.4.6, super, i can provide dmarc rule to public so askdns is not used
for dmarc rules anymore when dmarc plugin is loaded, i belive pmc
members can do this if version ... aswell :)

I believe this is a bug and fixed in trunk.

On 5/10/2022 1:55 PM, Bill Cole wrote:
> Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT

--
Kevin A. McGrail
KMcGrail@Apache.org

Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171

>On 2022-05-10 20:39, Matus UHLAR - fantomas wrote:
>>From: noreply@ess.firstdata.com
>>DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
>> s=6g5c7kdjkv3qjrxjsdzn3325ejghli53; d=ess.firstdata.com;
>> t=1652117979;
>> h=Date:From:Reply-To:To:Message-ID:Subject:MIME-Version:Content-Type;
>> bh=gRPH1y61kVZSDVPNuLr2WQo4Q0dpMd1ELWBGEE4Kp8c=;
>> b=MHojQsOqw1AZHyOIUQahSlbOQMMfufMtRltQ/Y3RCuYVO628KuErabQFB38mc82y
>> XcsgPG5Xl5Mck5OwlsK3vrS2cmVxfbBlgVRm6yzZehHaJ54Jakjqb5psalWNE5YN2Dw
>> h1tHFhykima88hgeOzw/KI8y8VidzkeEI/nHOMkk=
>>Authentication-Results: mail03.example.com (amavisd-new);
>> dkim=pass (1024-bit key) header.d=ess.firstdata.com
>> header.b="MHojQsOq"; dkim=pass (1024-bit key) header.d=amazonses.com
>> header.b="dwNxlXrW"
>>
>>so the mail looks to be DMARC valid, while SA produces:
>>
>> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the
>>message
>> * and the domain has a DMARC reject policy

On 11.05.22 00:55, Benny Pedersen wrote:
>dkim=pass (1024-bit key) header.d=amazonses.com
> header.b="dwNxlXrW"
>
>this does not pass, why do amazonses add dkim :(

it does not matter here.

>when multiple dkim signers is added all must pass for dmarc pass,

who told you this? any passing signature from the origin domain is enough.

> i belive this is the kam fails ?

it's more likely a bug

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

Hi,

On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
wrote:

> I believe this is a bug and fixed in trunk.
>
> On 5/10/2022 1:55 PM, Bill Cole wrote:
> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
> also DMARC_REJECT and/or KAM_DMARC_REJECT
>


This was from svn version 1900493. I've now checked out 1900794, but that
somehow appears different from the version SA reports?

$ spamassassin --version
SpamAssassin version 4.0.0-r1900583
running on Perl version 5.34.1

My firstdata email does appear to now pass DKIM properly,
without DMARC_REJECT or KAM_DMARC_REJECT.

Any idea under what circumstances the DKIM check fails so I can watch for
it? Or can we consider it solved?

Hi, is it possible the DMARC_REJECT problem still exists?

https://pastebin.com/DCu9cq4t

* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 1.8 DMARC_REJECT DMARC reject policy

Authentication-Results: xavier.example.com (amavisd-new);
dkim=pass (1024-bit key) header.d=hotwire.com
header.b="NEdhsCdV";
dkim=pass (1024-bit key) header.d=amazonses.com
header.b="UglVB1nr"

$ spamassassin --version
SpamAssassin version 4.0.0-r1900583
running on Perl version 5.34.1


On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi,
>
> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
> wrote:
>
>> I believe this is a bug and fixed in trunk.
>>
>> On 5/10/2022 1:55 PM, Bill Cole wrote:
>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
>> also DMARC_REJECT and/or KAM_DMARC_REJECT
>>
>
>
> This was from svn version 1900493. I've now checked out 1900794, but that
> somehow appears different from the version SA reports?
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
> running on Perl version 5.34.1
>
> My firstdata email does appear to now pass DKIM properly,
> without DMARC_REJECT or KAM_DMARC_REJECT.
>
> Any idea under what circumstances the DKIM check fails so I can watch for
> it? Or can we consider it solved?
>
>
>

Hi, I think this is another - this one also includes KAM_DMARC_REJECT

https://pastebin.com/9g9VrgVK

* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
* 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
* and the domain has a DMARC reject policy
* 1.8 DMARC_REJECT DMARC reject policy

Can this info even be added to the welcomelist or will that also now fail?



On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi, is it possible the DMARC_REJECT problem still exists?
>
> https://pastebin.com/DCu9cq4t
>
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
> * domain
> * 1.8 DMARC_REJECT DMARC reject policy
>
> Authentication-Results: xavier.example.com (amavisd-new);
> dkim=pass (1024-bit key) header.d=hotwire.com
> header.b="NEdhsCdV";
> dkim=pass (1024-bit key) header.d=amazonses.com
> header.b="UglVB1nr"
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
> running on Perl version 5.34.1
>
>
> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com> wrote:
>
>> Hi,
>>
>> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
>> wrote:
>>
>>> I believe this is a bug and fixed in trunk.
>>>
>>> On 5/10/2022 1:55 PM, Bill Cole wrote:
>>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
>>> also DMARC_REJECT and/or KAM_DMARC_REJECT
>>>
>>
>>
>> This was from svn version 1900493. I've now checked out 1900794, but that
>> somehow appears different from the version SA reports?
>>
>> $ spamassassin --version
>> SpamAssassin version 4.0.0-r1900583
>> running on Perl version 5.34.1
>>
>> My firstdata email does appear to now pass DKIM properly,
>> without DMARC_REJECT or KAM_DMARC_REJECT.
>>
>> Any idea under what circumstances the DKIM check fails so I can watch for
>> it? Or can we consider it solved?
>>
>>
>>

Alex,

#1 you can use the welcomelist entries but NOT the welcomelist_auth entries
if DMARC is failing.

#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that
we are working through, sorry to say it's been rougher than I wanted too.
But we have it in production and we are working on edge cases from my end.

#3 At my work at PCCC, we changed some concepts to install the KAM rules so
they are parsed after the stock rules for some of the default DMARC scores
to change too. We used a new option for sa-update that Henrik added to do
this. I'll ask for some info about it and test that pastebin to see if it
fails on our system too. I was also discussing more DMARC/DKIM regression
tests are needed. It's too fragile.

Regards,
KAM

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstudent@gmail.com> wrote:

> Hi, I think this is another - this one also includes KAM_DMARC_REJECT
>
> https://pastebin.com/9g9VrgVK
>
> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
> * valid
> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
> author's
> * domain
> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
> * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
> * and the domain has a DMARC reject policy
> * 1.8 DMARC_REJECT DMARC reject policy
>
> Can this info even be added to the welcomelist or will that also now fail?
>
>
>
> On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstudent@gmail.com> wrote:
>
>> Hi, is it possible the DMARC_REJECT problem still exists?
>>
>> https://pastebin.com/DCu9cq4t
>>
>> * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>> * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>> * valid
>> * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
>> author's
>> * domain
>> * 1.8 DMARC_REJECT DMARC reject policy
>>
>> Authentication-Results: xavier.example.com (amavisd-new);
>> dkim=pass (1024-bit key) header.d=hotwire.com
>> header.b="NEdhsCdV";
>> dkim=pass (1024-bit key) header.d=amazonses.com
>> header.b="UglVB1nr"
>>
>> $ spamassassin --version
>> SpamAssassin version 4.0.0-r1900583
>> running on Perl version 5.34.1
>>
>>
>> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org>
>>> wrote:
>>>
>>>> I believe this is a bug and fixed in trunk.
>>>>
>>>> On 5/10/2022 1:55 PM, Bill Cole wrote:
>>>> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and
>>>> also DMARC_REJECT and/or KAM_DMARC_REJECT
>>>>
>>>
>>>
>>> This was from svn version 1900493. I've now checked out 1900794, but
>>> that somehow appears different from the version SA reports?
>>>
>>> $ spamassassin --version
>>> SpamAssassin version 4.0.0-r1900583
>>> running on Perl version 5.34.1
>>>
>>> My firstdata email does appear to now pass DKIM properly,
>>> without DMARC_REJECT or KAM_DMARC_REJECT.
>>>
>>> Any idea under what circumstances the DKIM check fails so I can watch
>>> for it? Or can we consider it solved?
>>>
>>>
>>>

On 22.05.22 12:25, Kevin A. McGrail wrote:
>#1 you can use the welcomelist entries but NOT the welcomelist_auth entries
>if DMARC is failing.

isn't welcomelist_auth okay with DKIM_VALID_AU ?

>#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that
>we are working through, sorry to say it's been rougher than I wanted too.
>But we have it in production and we are working on edge cases from my end.

Alex (OP), do you have Mail::DMARC installed?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.

On Sun, May 22, 2022 at 1:51 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
wrote:

> On 22.05.22 12:25, Kevin A. McGrail wrote:
> >#1 you can use the welcomelist entries but NOT the welcomelist_auth
> entries
> >if DMARC is failing.
>
> isn't welcomelist_auth okay with DKIM_VALID_AU ?
>

It looks like welcomelist_auth works with SPF even when this DMARC_REJECT
occurs, I believe.


> >#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues
> that
> >we are working through, sorry to say it's been rougher than I wanted too.
> >But we have it in production and we are working on edge cases from my end.
>
> Alex (OP), do you have Mail::DMARC installed?
>

May 22 15:12:59.482 [865542] dbg: plugin: loading
Mail::SpamAssassin::Plugin::DMARC from @INC

I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.

On 5/22/22 18:25, Kevin A. McGrail wrote:
> Alex,
>
> #1 you can use the welcomelist entries but NOT the welcomelist_auth entries if DMARC is failing.
>
> #2 There are definitely some issues with SA 4.0 Trunk and DMARC issues that we are working through, sorry to say it's been rougher than I wanted too.  But we have it in production and we are working on edge cases from my end.
>
> #3 At my work at PCCC, we changed some concepts to install the KAM rules so they are parsed after the stock rules for some of the default DMARC scores to change too.  We used a new option for sa-update that Henrik added to do this.  I'll ask for some info about it and test that pastebin to see if it fails on our system too.  I was also discussing more DMARC/DKIM regression tests are needed.  It's too fragile.
>
starting from r1900857, official ASF channels are loaded first, then all other channels in alphabetical order.

I would like to better check the original email if possible.

Giovanni


> Regards,
> KAM
>
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> - 703.798.0171
>
>
> On Sun, May 22, 2022 at 11:25 AM Alex <mysqlstudent@gmail.com <mailto:mysqlstudent@gmail.com>> wrote:
>
> Hi, I think this is another - this one also includes KAM_DMARC_REJECT
>
> https://pastebin.com/9g9VrgVK <https://pastebin.com/9g9VrgVK>
>
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>  *      valid
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
>  *       domain
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>  *  6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the message
>  *      and the domain has a DMARC reject policy
>  *  1.8 DMARC_REJECT DMARC reject policy
>
> Can this info even be added to the welcomelist or will that also now fail?
>
>
>
> On Sun, May 22, 2022 at 11:10 AM Alex <mysqlstudent@gmail.com <mailto:mysqlstudent@gmail.com>> wrote:
>
> Hi, is it possible the DMARC_REJECT problem still exists?
>
> https://pastebin.com/DCu9cq4t <https://pastebin.com/DCu9cq4t>
>
>  * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
>  *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
>  *      valid
>  * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
>  *       domain
>  *  1.8 DMARC_REJECT DMARC reject policy
>
> Authentication-Results: xavier.example.com <http://xavier.example.com> (amavisd-new);
>             dkim=pass (1024-bit key) header.d=hotwire.com <http://hotwire.com> header.b="NEdhsCdV";
>             dkim=pass (1024-bit key) header.d=amazonses.com <http://amazonses.com> header.b="UglVB1nr"
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
>   running on Perl version 5.34.1
>
>
> On Wed, May 11, 2022 at 9:01 AM Alex <mysqlstudent@gmail.com <mailto:mysqlstudent@gmail.com>> wrote:
>
> Hi,
>
> On Tue, May 10, 2022 at 7:00 PM Kevin A. McGrail <kmcgrail@apache.org <mailto:kmcgrail@apache.org>> wrote:
>
> I believe this is a bug and fixed in trunk.
>
> On 5/10/2022 1:55 PM, Bill Cole wrote:
> > Looks like a bug. It should not be possible to hit DKIM_VALID_AU and also DMARC_REJECT and/or KAM_DMARC_REJECT
>
>
>
> This was from svn version 1900493. I've now checked out 1900794, but that somehow appears different from the version SA reports?
>
> $ spamassassin --version
> SpamAssassin version 4.0.0-r1900583
>   running on Perl version 5.34.1
>
> My firstdata email does appear to now pass DKIM properly, without DMARC_REJECT or KAM_DMARC_REJECT.
>
> Any idea under what circumstances the DKIM check fails so I can watch for it? Or can we consider it solved?
>
>

On 2022-05-23 10:11, giovanni@paclan.it wrote:

> starting from r1900857, official ASF channels are loaded first, then
> all other channels in alphabetical order.
>
> I would like to better check the original email if possible.

dmarc plugin would have to inhirit AuthRes results, imho current dmarc
plugin miss this

i am still unsure if AuthRes is usefull in other tests as is now

>> On 22.05.22 12:25, Kevin A. McGrail wrote:
>> >#1 you can use the welcomelist entries but NOT the welcomelist_auth
>> >entries if DMARC is failing.

>On Sun, May 22, 2022 at 1:51 PM Matus UHLAR - fantomas <uhlar@fantomas.sk>
>wrote:
>> isn't welcomelist_auth okay with DKIM_VALID_AU ?

On 22.05.22 15:17, Alex wrote:
>It looks like welcomelist_auth works with SPF even when this DMARC_REJECT
>occurs, I believe.

welcomelist_auth requires SPF or DKIM pass result, so passing either should
cause welcomelist_auth to hit.

...unless the code was rewritten to ignore those when DMARC causes fail.

>> >#2 There are definitely some issues with SA 4.0 Trunk and DMARC issues
>> >that we are working through, sorry to say it's been rougher than I
>> >wanted too. But we have it in production and we are working on edge
>> >cases from my end.
>>
>> Alex (OP), do you have Mail::DMARC installed?

>May 22 15:12:59.482 [865542] dbg: plugin: loading
>Mail::SpamAssassin::Plugin::DMARC from @INC

this is the SA plugin, not the perl library...

>I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.

... and this is the perl library.

I see you have both KAM_DMARC_REJECT and DMARC_REJECT
- KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
isn't available, but uses the library if it does.

could you (temporarily) uninstall the perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
if it fixes the problem?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.

>On 2022-05-23 10:11, giovanni@paclan.it wrote:
>>starting from r1900857, official ASF channels are loaded first, then
>>all other channels in alphabetical order.
>>
>>I would like to better check the original email if possible.

On 23.05.22 11:01, Benny Pedersen wrote:
>dmarc plugin would have to inhirit AuthRes results, imho current dmarc
>plugin miss this
>
>i am still unsure if AuthRes is usefull in other tests as is now

I agree, however both the original mails don't have DMARC result in
Authentication-Results: headers.

They both have dkim=pass in Authentication-Results: and both hit
DKIM_VALID_AU.

https://pastebin.com/9g9VrgVK
https://pastebin.com/DCu9cq4t


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95

>
>
>
> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>
> ... and this is the perl library.
>
> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> isn't available, but uses the library if it does.
>
> could you (temporarily) uninstall the
> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> if it fixes the problem?
>

Since uninstalling it this morning, there have been no other occurrences of
KAM_DMARC_REJECT all day for any emails.

The last DMARC_REJECT was also this morning prior to uninstalling
perl-Mail-Dmarc-PurePerl.

The only other references to DMARC today have been from KAM_DMARC_STATUS

>
>
>
> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>
> ... and this is the perl library.
>
> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
> isn't available, but uses the library if it does.
>
> could you (temporarily) uninstall the
> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
> if it fixes the problem?
>

Since uninstalling it this morning, there have been no other occurrences of
KAM_DMARC_REJECT all day for any emails.

The last DMARC_REJECT was also this morning prior to uninstalling
perl-Mail-Dmarc-PurePerl.

The only other references to DMARC today have been from KAM_DMARC_STATUS

On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:

>
>>
>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>>
>> ... and this is the perl library.
>>
>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>> isn't available, but uses the library if it does.
>>
>> could you (temporarily) uninstall the
>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>> if it fixes the problem?
>>
>
> Since uninstalling it this morning, there have been no other occurrences
> of KAM_DMARC_REJECT all day for any emails.
>
> The last DMARC_REJECT was also this morning prior to uninstalling
> perl-Mail-Dmarc-PurePerl.
>
> The only other references to DMARC today have been from KAM_DMARC_STATUS
>

What are the proper libraries that should be used to support DMARC with SA?

On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:

>
>>
>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>>
>> ... and this is the perl library.
>>
>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>> isn't available, but uses the library if it does.
>>
>> could you (temporarily) uninstall the
>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>> if it fixes the problem?
>>
>
> Since uninstalling it this morning, there have been no other occurrences
> of KAM_DMARC_REJECT all day for any emails.
>
> The last DMARC_REJECT was also this morning prior to uninstalling
> perl-Mail-Dmarc-PurePerl.
>
> The only other references to DMARC today have been from KAM_DMARC_STATUS
>

What are the proper libraries that should be used to support DMARC with SA?

>>> >I have perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch installed.
>>>
>>> ... and this is the perl library.
>>>
>>> I see you have both KAM_DMARC_REJECT and DMARC_REJECT
>>> - KAM_DMARC_REJECT has workarounds if Mail::SpamAssassin::Plugin::DMARC
>>> isn't available, but uses the library if it does.
>>>
>>> could you (temporarily) uninstall the
>>> perl-Mail-Dmarc-PurePerl-1.20211209-2.fc35.noarch
>>> if it fixes the problem?

>On Mon, May 23, 2022 at 8:16 PM Alex <mysqlstudent@gmail.com> wrote:
>> Since uninstalling it this morning, there have been no other occurrences
>> of KAM_DMARC_REJECT all day for any emails.

have there been rejects often before?

can you re-run spamassassin over those messages to see if uninstalling that
package fixed the error with the same e-mails?

>> The last DMARC_REJECT was also this morning prior to uninstalling
>> perl-Mail-Dmarc-PurePerl.
>>
>> The only other references to DMARC today have been from KAM_DMARC_STATUS

On 24.05.22 13:02, Alex wrote:
>What are the proper libraries that should be used to support DMARC with SA?

This one should be, but there seems to be either a bug in that library or in
SA code handling that.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?