I'm running postfix and I'm having emails rejected by opendmarc that appear to be valid. Here is an example:
Apr 9 17:51:40 primary postfix/smtpd[517925]: D4FAB20161: client=lg95.mta.exacttarget.com[13.111.200.95]
Apr 9 17:51:40 primary postfix/cleanup[517934]: D4FAB20161: message-id=<11da900f-a969-4c7b-983d-4924473146bf@dfw1s10mta1094.xt.local>
Apr 9 17:51:40 primary opendkim[744]: D4FAB20161: lg95.mta.exacttarget.com [13.111.200.95] not internal
Apr 9 17:51:40 primary opendkim[744]: D4FAB20161: not authenticated
Apr 9 17:51:40 primary opendkim[744]: D4FAB20161: message has signatures from services.barclaysus.com, s10.y.mc.salesforce.com
Apr 9 17:51:40 primary opendkim[744]: D4FAB20161: bad signature data
Apr 9 17:51:41 primary opendmarc[745]: D4FAB20161: SPF(mailfrom): bounce.emails.barclaysus.com pass
Apr 9 17:51:41 primary opendmarc[745]: D4FAB20161: services.BarclaysUS.com fail
Apr 9 17:51:41 primary postfix/cleanup[517934]: D4FAB20161: milter-reject: END-OF-MESSAGE from lg95.mta.exacttarget.com[13.111.200.95]: 5.7.1 rejected by DMARC policy for services.BarclaysUS.com; from=<bounce-18_HTML-217530911-7649892-515001007-1@bounce.emails.barclaysus.com> to=<xxx@xxxxxxx.com> proto=ESMTP helo=<lg95.mta.exacttarget.com>
The dmarc record looks like:
v=DMARC1; p=reject; fo=1; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com
So, it's set to reject.
If I look at the spf record for services.barclaysus.com I see:
services.barclaysus.com. 3600 IN TXT "v=spf1 include:cust-spf.exacttarget.com -all"
If I look at the spf record for cust-spf.exacttarget.com I see:
cust-spf.exacttarget.com. 169 IN TXT "v=spf1 ip4:64.132.92.0/24 ip4:64.132.88.0/23 ip4:66.231.80.0/20 ip4:68.232.192.0/20 ip4:199.122.120.0/21 ip4:207.67.38.0/24 " "ip4:128.17.0.0/20 ip4:128.17.64.0/20 ip4:128.17.128.0/20 ip4:128.17.192.0/20 ip4:128.245.0.0/20 ip4:128.245.64.0/20 ip4:13.111.191.0/24 " "ip4:128.245.242.0/24 ip4:128.245.243.0/24 ip4:128.245.244.0/24 ip4:128.245.245.0/24 ip4:128.245.246.0/24 ip4:128.245.247.0/24 ip4:128.245.176.0/20 ip4:136.147.224.0/20 " "ip4:207.67.98.192/27 ip4:207.250.68.0/24 ip4:209.43.22.0/28 ip4:198.245.80.0/20 ip4:136.147.128.0/20 ip4:136.147.176.0/20 ip4:13.111.0.0/16 ip4:161.71.32.0/19 ip4:161.71.64.0/20 ip4:13.110.208.0/21 ip4:13.110.216.0/22 " "ip4:13.110.224.0/20 ip4:159.92.157.0/24 ip4:159.92.158.0/24 ip4:159.92.159.0/24 ip4:159.92.160.0/24 ip4:159.92.161.0/24 ip4:159.92.162.0/24 ip4:159.92.154.0/24 ip4:128.245.240.0/24 ip4:128.245.241.0/24 ip4:159.92.155.0/24 ip4:159.92.163.0/24 ip4:159.92.16" "4.0/22 ip4:159.92.168.0/21 ip4:128.245.248.0/21 -all"
Which includes ip4:13.111.0.0/16, so the sending IP [13.111.200.95] should pass.
Google's AI seemed to think I could test from the command line with:
opendmarc -v -c /etc/opendmarc.conf -t ./test.eml -s 13.111.200.95
But, the "-s" is invalid for my opendmarc version. I'm not sure how to extract any additional information about the issue at this point.
Maybe I'm barking up the wrong tree. Thank you in advance!!
