SPF, DKIM e DMARC todos definidos, mas dmarc-reports continuam dizendo o contrário

1

Estou perdendo a cabeça (novamente) em algo sobre e-mails.

Eu tenho um servidor Kimsufi / OVH (Debian Wheezy 7.10). Eu tenho postfix e dovecot tudo pronto.

Meu domínio principal / hostname é vaeserveur.fr, e estou usando o calendridel.fr no vaeserveur.fr.

Eu configurei entradas spf, dkim e dmarc em zonas de DNS para ambos os domínios. A partir do contato [at] calendridel [ponto] fr e sem resposta [at] calendridel [ponto] fr, todos os testes que eu fiz são bons:

1) [email protected]

The Port25 Solutions, Inc. team

==========================================================
 Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  vaeserveur.fr
Source IP:      91.121.166.194
mail-from:      [email protected]

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: [email protected]
DNS record(s):
    calendridel.fr. SPF (no records)
    calendridel.fr. 6055 IN TXT "v=spf1 a mx include:mx.ovh.com ~all"
    calendridel.fr. 6054 IN A 91.121.166.194

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: [email protected])
ID(s) verified: header.d=calendridel.fr

2) dmarcian.com

https://dmarcian.com/dmarc-inspector/calendridel.fr
All seems good

3) dkimvalidator.com

DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=calendridel.fr;
    s=mail; t=1491673268;
    bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
    h=Date:From:To:Subject:From;
    b=CScyX9ZvWCDL6FGLroXZi/8dFiWmgPbKwcTuSZqPuCHBOR4tv4QdGzxgZ3acWf6AP
     AwAt3Y2h+9IHeayu8mT2rl2Bz3E3XbMC6waEHoc645sAOq1nV9l8hAuw73hm6YsvXU
     QEAgcDIaD8b5fAXoX99rGkSfD6Rx5ygeuJOs0MzZcxnOzaJM+6mvOzusep4PRv0XvG
     eEJYYwL2sNd0qEJSLJ666fhvE781qtwnWaUewlceSgek5bnJ1DVEOsLkcl3uwTabau
     PsLZm9SPuqsc+aDRTTNNRKuI2noO1/w3M6XWfZxpYPIeoxwNnflWxP0s9O6+UbhsCJ
     PJbZeYVATVFKYKjFJlbwAqPMMmJAiqSWzsXvT06/P/Qw70nT5Q9qK1FI8Uu9NRFhWe
     g+35wx03zNG5OMgKzKsv9qH06qccBsbfhHXKm63YkxLDhO+2AtdicdWqrMlZQap7V0
     CC4VyTCNLZdOASWdLJdh8JDsY2TXNU/Pcpxw0uSf0BigY/0q3qj5O7GRzzSLG1rKz0
     +HpvDql/PpsscXt16URaOtO7/rZ6H3EsS1ZkutO5udiwJvoZulraMbI8sQQghR3Yyw
     OZqDardodYdVo1tHzTPQ4MJTEKI+2IO4ulCj7/kJ109xpTYo8+8x3I7Z5Bhmnyui7j
     TIxRT8MCD1sRUOoP7mD/7Pb0=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          calendridel.fr
s= Selector:        mail
q= Protocol:        
bh=                 g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=
h= Signed Headers:  Date:From:To:Subject:From
b= Data:            CScyX9ZvWCDL6FGLroXZi/8dFiWmgPbKwcTuSZqPuCHBOR4tv4QdGzxgZ3acWf6AP
     AwAt3Y2h+9IHeayu8mT2rl2Bz3E3XbMC6waEHoc645sAOq1nV9l8hAuw73hm6YsvXU
     QEAgcDIaD8b5fAXoX99rGkSfD6Rx5ygeuJOs0MzZcxnOzaJM+6mvOzusep4PRv0XvG
     eEJYYwL2sNd0qEJSLJ666fhvE781qtwnWaUewlceSgek5bnJ1DVEOsLkcl3uwTabau
     PsLZm9SPuqsc+aDRTTNNRKuI2noO1/w3M6XWfZxpYPIeoxwNnflWxP0s9O6+UbhsCJ
     PJbZeYVATVFKYKjFJlbwAqPMMmJAiqSWzsXvT06/P/Qw70nT5Q9qK1FI8Uu9NRFhWe
     g+35wx03zNG5OMgKzKsv9qH06qccBsbfhHXKm63YkxLDhO+2AtdicdWqrMlZQap7V0
     CC4VyTCNLZdOASWdLJdh8JDsY2TXNU/Pcpxw0uSf0BigY/0q3qj5O7GRzzSLG1rKz0
     +HpvDql/PpsscXt16URaOtO7/rZ6H3EsS1ZkutO5udiwJvoZulraMbI8sQQghR3Yyw
     OZqDardodYdVo1tHzTPQ4MJTEKI+2IO4ulCj7/kJ109xpTYo8+8x3I7Z5Bhmnyui7j
     TIxRT8MCD1sRUOoP7mD/7Pb0=
Public Key DNS Lookup

Building DNS Query for mail._domainkey.calendridel.fr
Retrieved this publickey from DNS: v=DKIM1; k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAomnPCDLufwn5YnIxZ+4veAqdQiTNyk3OsqxTXddGXstKjYefjeJZ/Wgd4vFRheS9DSRjtqLvc66KyM3Ubk37G3S2tXU6dpIPh/poiQuDhdZMWlp829YyR47sYtSSJqFrzd+dKDGfPwrlJb6iIeYksfXOXSHej6s9z1mDobl+fDhORKaB5JySZyPhh/FqCIVMHJffr8tod0Q55MAfRpl38WIJjRjjTXHS2OTNUSQq53kIqSZkx3iFdlxxZh5Tj1DU1bzIGfB4tQaJAGqGhSz4pyzkdc+uVuvXr6NbIrEQ/YnueDHWrbbPoMq77QcToMGqfypgB2CcEU2rlcDYq9aPqYAalv22zY6S0M5FUjlpiHDIR3Hb/ID2ZC2Q/XtCKgaOxr2C4T7Ad0CdcjjQMLnFkOY337U7/P0FgaSQaykiUvSkXDvURgunBv0GLqXfjfwK2Ge8fl+dhYN5bZ/59/GFPcyB/sLHB/cMFWEUyp63RXHBRm+q+c6PMdGIgmoTHYH/0FbYI+/9NHhYOLWhBrgds3x54vStQk0jqYKAipd2494v2dr3p5XlhXU4NEOSEH4FnBfiqoHiYDgjPEIm0ddqH2kBEiuymIoGtWPuBCmY993/1wevOMVjrQlysw2Gf1DZnlbnaytgcSAR0fHgIlLPPoRqGXodvgtW6Zj8ocy71qsCAwEAAQ==
Validating Signature

result = pass
Details: 

SPF Information:

Using this information that I obtained from the headers

Helo Address = vaeserveur.fr
From Address = [email protected]
From IP      = 91.121.166.194
SPF Record Lookup

Looking up TXT SPF record for calendridel.fr
Found the following namesevers for calendridel.fr: ns.kimsufi.com ns318520.ip-91-121-166.eu
Retrieved this SPF Record: zone updated 20170408 (TTL = 46739)
using authoritative server (ns.kimsufi.com) directly for SPF Check
Result: pass (Mechanism 'a' matched)

Result code: pass
Local Explanation: calendridel.fr: 91.121.166.194 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'a' matched)
spf_header = Received-SPF: pass (calendridel.fr: 91.121.166.194 is authorized to use '[email protected]' in 'mfrom' identity (mechanism 'a' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="[email protected]"; helo=vaeserveur.fr; client-ip=91.121.166.194

Etc, etc, etc.

Tudo parece bom e todos os remetentes de e-mail que estou enviando um e-mail estão dizendo "10/10, você é bom para ir amigo".

O problema é que recebo relatórios de dmarc e eles não são bons. Por exemplo, última data do yahoo:

<?xml version="1.0"?>   
<feedback>  
  <report_metadata> 
    <org_name>Yahoo! Inc.</org_name>    
    <email>[email protected]</email>   
    <report_id>1491615950.716847</report_id>    
    <date_range>    
      <begin>1491523200</begin> 
      <end>1491609599 </end>    
    </date_range>   
  </report_metadata>    
  <policy_published>    
    <domain>calendridel.fr</domain> 
    <adkim>r</adkim>    
    <aspf>r</aspf>  
    <p>none</p> 
    <pct>100</pct>  
  </policy_published>   
  <record>  
    <row>   
      <source_ip>91.121.166.194</source_ip> 
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>fail</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>calendridel.fr</header_from> 
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>calendridel.fr</domain> 
        <result>permerror</result>  
      </dkim>   
      <spf> 
        <domain>vaeserveur.fr</domain>  
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 
</feedback> 

E a última data de google.com:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>14868783784049997701</report_id>
    <date_range>
      <begin>1491523200</begin>
      <end>1491609599</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>calendridel.fr</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>2001:41d0:1:e7c2::1</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>calendridel.fr</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>calendridel.fr</domain>
        <result>fail</result>
        <selector>mail</selector>
      </dkim>
      <spf>
        <domain>vaeserveur.fr</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2001:41d0:1:e7c2::1</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>calendridel.fr</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>calendridel.fr</domain>
        <result>pass</result>
        <selector>mail</selector>
      </dkim>
      <spf>
        <domain>vaeserveur.fr</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Estou perdido, não sei o que fazer mais do que já está definido. Não hesite em perguntar-me mais informações, se puder ajudar. Thx ...

    
por Vae 08.04.2017 / 21:01

1 resposta

0

Esta é a parte do XML RUA que você precisa analisar:

<identifiers>   
  <header_from>calendridel.fr</header_from> 
</identifiers>  
<auth_results>  
  <dkim>    
    <domain>calendridel.fr</domain> 
    <result>permerror</result>  
  </dkim>   
  <spf> 
    <domain>vaeserveur.fr</domain>  
    <result>pass</result>   
  </spf>

Isso nos diz duas coisas:

1 - o seu SPF não está alinhado. O domínio do mail-from (RFC5321.From) é vaeserveur.fr, mas seu domínio de cabeçalho (RFC5322.From) é calendridel.fr. Aqueles precisam corresponder para que o alinhamento do identificador seja aprovado. Para mais informações, consulte o link

2 - o seu DKIM recebe um permerror. Envie uma mensagem para uma conta que você controla no Gmail e veja os cabeçalhos das mensagens para saber mais sobre o problema. O DMARC XML nos diz que ele falhou, mas o cabeçalho de Authentication-Results: (s) na mensagem deve informar mais.

    
por 13.07.2017 / 11:08