SPF,DKIM和DMARC都设定了,但是dmarc报告却反过来说
[英]SPF, DKIM and DMARC all set but dmarc-reports keep saying the opposite
问题描述
I'm losing my mind (again) on something about e-mails. 
关于电子邮件的事情,我(再次)失去了理智。
I have a Kimsufi/OVH (Debian Wheezy 7.10) server. 我有一台Kimsufi / OVH(Debian Wheezy 7.10)服务器。 I have postfix and dovecot all set. 我有postfix和dovecot所有设置。
My main domain/hostname is mywebsite.fr, and i'm using mywebsite.fr set on mywebsite.fr. 我的主域/主机名是mywebsite.fr,我在mywebsite.fr上使用mywebsite.fr。
I set spf, dkim and dmarc entries in dns zones for both of domains. 我在两个域的dns区域中设置了spf,dkim和dmarc条目。 From contact[at]mywebsite[dot]fr and no-reply[at]mywebsite[dot]fr, all the tests I ran are good : 从联系[at] mywebsite [dot] fr和no-reply [at] mywebsite [dot] fr,我运行的所有测试都很好:
1) auth-resultats@verifier.port25.com 1)auth-resultats@verifier.port25.com
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
SpamAssassin check: ham
==========================================================
Details:
==========================================================
HELO hostname: mywebsite.fr
Source IP: 91.121.166.194
mail-from: contact@mywebsite.fr
----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result: pass
ID(s) verified: smtp.mailfrom=contact@mywebsite.fr
DNS record(s):
mywebsite.fr. SPF (no records)
mywebsite.fr. 6055 IN TXT "v=spf1 a mx include:mx.ovh.com ~all"
mywebsite.fr. 6054 IN A 91.121.166.194
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=contact@mywebsite.fr
DNS record(s):
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: pass (matches From: contact@mywebsite.fr)
ID(s) verified: header.d=mywebsite.fr
2) dmarcian.com 2)dmarcian.com
https://dmarcian.com/dmarc-inspector/mywebsite.fr
All seems good
3) dkimvalidator.com 3)dkimvalidator.com
DKIM Information:
DKIM Signature
Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mywebsite.fr;
s=mail; t=1491673268;
bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
h=Date:From:To:Subject:From;
b=CScyX9ZvWCDL6FGLroXZi/8dFiWmgPbKwcTuSZqPuCHBOR4tv4QdGzxgZ3acWf6AP
AwAt3Y2h+9IHeayu8mT2rl2Bz3E3XbMC6waEHoc645sAOq1nV9l8hAuw73hm6YsvXU
QEAgcDIaD8b5fAXoX99rGkSfD6Rx5ygeuJOs0MzZcxnOzaJM+6mvOzusep4PRv0XvG
eEJYYwL2sNd0qEJSLJ666fhvE781qtwnWaUewlceSgek5bnJ1DVEOsLkcl3uwTabau
PsLZm9SPuqsc+aDRTTNNRKuI2noO1/w3M6XWfZxpYPIeoxwNnflWxP0s9O6+UbhsCJ
PJbZeYVATVFKYKjFJlbwAqPMMmJAiqSWzsXvT06/P/Qw70nT5Q9qK1FI8Uu9NRFhWe
g+35wx03zNG5OMgKzKsv9qH06qccBsbfhHXKm63YkxLDhO+2AtdicdWqrMlZQap7V0
CC4VyTCNLZdOASWdLJdh8JDsY2TXNU/Pcpxw0uSf0BigY/0q3qj5O7GRzzSLG1rKz0
+HpvDql/PpsscXt16URaOtO7/rZ6H3EsS1ZkutO5udiwJvoZulraMbI8sQQghR3Yyw
OZqDardodYdVo1tHzTPQ4MJTEKI+2IO4ulCj7/kJ109xpTYo8+8x3I7Z5Bhmnyui7j
TIxRT8MCD1sRUOoP7mD/7Pb0=
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: mywebsite.fr
s= Selector: mail
q= Protocol:
bh= g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=
h= Signed Headers: Date:From:To:Subject:From
b= Data: CScyX9ZvWCDL6FGLroXZi/8dFiWmgPbKwcTuSZqPuCHBOR4tv4QdGzxgZ3acWf6AP
AwAt3Y2h+9IHeayu8mT2rl2Bz3E3XbMC6waEHoc645sAOq1nV9l8hAuw73hm6YsvXU
QEAgcDIaD8b5fAXoX99rGkSfD6Rx5ygeuJOs0MzZcxnOzaJM+6mvOzusep4PRv0XvG
eEJYYwL2sNd0qEJSLJ666fhvE781qtwnWaUewlceSgek5bnJ1DVEOsLkcl3uwTabau
PsLZm9SPuqsc+aDRTTNNRKuI2noO1/w3M6XWfZxpYPIeoxwNnflWxP0s9O6+UbhsCJ
PJbZeYVATVFKYKjFJlbwAqPMMmJAiqSWzsXvT06/P/Qw70nT5Q9qK1FI8Uu9NRFhWe
g+35wx03zNG5OMgKzKsv9qH06qccBsbfhHXKm63YkxLDhO+2AtdicdWqrMlZQap7V0
CC4VyTCNLZdOASWdLJdh8JDsY2TXNU/Pcpxw0uSf0BigY/0q3qj5O7GRzzSLG1rKz0
+HpvDql/PpsscXt16URaOtO7/rZ6H3EsS1ZkutO5udiwJvoZulraMbI8sQQghR3Yyw
OZqDardodYdVo1tHzTPQ4MJTEKI+2IO4ulCj7/kJ109xpTYo8+8x3I7Z5Bhmnyui7j
TIxRT8MCD1sRUOoP7mD/7Pb0=
Public Key DNS Lookup
Building DNS Query for mail._domainkey.mywebsite.fr
Retrieved this publickey from DNS: v=DKIM1; k=rsa;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAomnPCDLufwn5YnIxZ+4veAqdQiTNyk3OsqxTXddGXstKjYefjeJZ/Wgd4vFRheS9DSRjtqLvc66KyM3Ubk37G3S2tXU6dpIPh/poiQuDhdZMWlp829YyR47sYtSSJqFrzd+dKDGfPwrlJb6iIeYksfXOXSHej6s9z1mDobl+fDhORKaB5JySZyPhh/FqCIVMHJffr8tod0Q55MAfRpl38WIJjRjjTXHS2OTNUSQq53kIqSZkx3iFdlxxZh5Tj1DU1bzIGfB4tQaJAGqGhSz4pyzkdc+uVuvXr6NbIrEQ/YnueDHWrbbPoMq77QcToMGqfypgB2CcEU2rlcDYq9aPqYAalv22zY6S0M5FUjlpiHDIR3Hb/ID2ZC2Q/XtCKgaOxr2C4T7Ad0CdcjjQMLnFkOY337U7/P0FgaSQaykiUvSkXDvURgunBv0GLqXfjfwK2Ge8fl+dhYN5bZ/59/GFPcyB/sLHB/cMFWEUyp63RXHBRm+q+c6PMdGIgmoTHYH/0FbYI+/9NHhYOLWhBrgds3x54vStQk0jqYKAipd2494v2dr3p5XlhXU4NEOSEH4FnBfiqoHiYDgjPEIm0ddqH2kBEiuymIoGtWPuBCmY993/1wevOMVjrQlysw2Gf1DZnlbnaytgcSAR0fHgIlLPPoRqGXodvgtW6Zj8ocy71qsCAwEAAQ==
Validating Signature
result = pass
Details:
SPF Information:
Using this information that I obtained from the headers
Helo Address = mywebsite.fr
From Address = contact@mywebsite.fr
From IP = 91.121.166.194
SPF Record Lookup
Looking up TXT SPF record for mywebsite.fr
Found the following namesevers for mywebsite.fr: ns.kimsufi.com nsXXXXXX.ip-91-XXX-166.eu
Retrieved this SPF Record: zone updated 20170408 (TTL = 46739)
using authoritative server (ns.kimsufi.com) directly for SPF Check
Result: pass (Mechanism 'a' matched)
Result code: pass
Local Explanation: mywebsite.fr: 91.121.166.194 is authorized to use 'contact@mywebsite.fr' in 'mfrom' identity (mechanism 'a' matched)
spf_header = Received-SPF: pass (mywebsite.fr: 91.121.166.194 is authorized to use 'contact@mywebsite.fr' in 'mfrom' identity (mechanism 'a' matched)) receiver=ip-172-31-3-128.us-west-1.compute.internal; identity=mailfrom; envelope-from="contact@mywebsite.fr"; helo=mywebsite.fr; client-ip=91.121.166.194
Etc, etc, etc. 等等等
All seems good and all the mail-testers i'm sending an e-mails are saying "10/10, you're good to go buddy". 一切似乎都很好,我发送电子邮件的所有邮件测试人员都说“10/10,你很高兴去找好友”。
The problem is, I receive dmarc-reports and they are not good. 问题是,我收到了dmarc报告并且它们并不好。 For example, last in date from yahoo : 例如,雅虎的最后日期:
<?xml version="1.0"?>
<feedback>
<report_metadata>
<org_name>Yahoo! Inc.</org_name>
<email>postmaster@dmarc.yahoo.com</email>
<report_id>1491615950.716847</report_id>
<date_range>
<begin>1491523200</begin>
<end>1491609599 </end>
</date_range>
</report_metadata>
<policy_published>
<domain>mywebsite.fr</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>91.121.166.194</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mywebsite.fr</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mywebsite.fr</domain>
<result>permerror</result>
</dkim>
<spf>
<domain>mywebsite.fr</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
And last in date from google.com : 最后一次来自google.com:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>14868783784049997701</report_id>
<date_range>
<begin>1491523200</begin>
<end>1491609599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>mywebsite.fr</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>2001:41d0:1:e7c2::1</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mywebsite.fr</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mywebsite.fr</domain>
<result>fail</result>
<selector>mail</selector>
</dkim>
<spf>
<domain>mywebsite.fr</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>2001:41d0:1:e7c2::1</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mywebsite.fr</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mywebsite.fr</domain>
<result>pass</result>
<selector>mail</selector>
</dkim>
<spf>
<domain>mywebsite.fr</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
I'm lost, I don't know what to do more than is already set. 我迷路了,我不知道该怎么做比已经设定的更多。 Don't hesitate ask me more informations, if it can help. 如果可以提供帮助,请不要犹豫,向我询问更多信息。 Thx... 谢谢...
2 个解决方案
解决方案1
2 2017-04-08 19:52:52
Anyway, looking over your results from those other testers, it looks like you're using a 4096 DKIM, which produces key sizes over 512 bytes. 无论如何,查看来自其他测试人员的结果,看起来你正在使用4096 DKIM,它产生超过512字节的密钥大小。 Drop your DKIM size back down to 2048 and I think your issues will go away with the DKIM Failures. 将您的DKIM大小降低到2048,我认为您的问题将随着DKIM失败而消失。 I seen numerous instances where large key sizes cause DKIM Failures. 我看到很多大型密钥大小导致DKIM失败的情况。
Also the results from google show an ipv6 address as the source IP, I have a feeling Google might be bugged, that is might not be doing the SPF Lookup correctly concerning a and aaaa records, you should add ip6:2001:41d0:1:e7c2::1 to your SPF and see if that resolves the SPF Failures at Google. 此外,谷歌的结果显示一个ipv6地址作为源IP,我有一种感觉谷歌可能会被窃听,可能没有正确地做关于a和aaaa记录的SPF Lookup,你应该添加ip6:2001:41d0:1:e7c2::1到您的SPF,看看是否能解决Google的SPF失败问题。
In theory, When an ESP receives and ipv6 IP they should look up the aaaa record for SPF if a is specified as a mechanism and a if IPv4 is specified" 从理论上讲,当一个ESP接收和IPv6的IP他们应该仰望aaaa为SPF记录,如果a被指定为一个机制, a如果指定的IPv4”
解决方案2
1 2017-04-08 21:57:41
The SPF problem you're seeing is an alignment problem. 您看到的SPF问题是对齐问题。 SPF only counts for DMARC when the Return-Path domain and the Header From domain are on the same organizational domain. 当Return-Path域和Header From域位于同一组织域时,SPF仅计入DMARC。 In somewhat oversimplified terms, they need to be the same or have a common parent domain that isn't a TLD. 在某些过于简单的术语中,它们必须相同或具有不是TLD的共同父域。
From the reports, you can see that your Return-Path domain (used for SPF) is vaeserveur.fr while the header from domain is calendridel.fr. 从报告中,您可以看到您的Return-Path域(用于SPF)是vaeserveur.fr,而域的头是calendridel.fr。 In this case, it doesn't matter that SPF yields a pass - that pass value won't be used for DMARC. 在这种情况下,SPF产生传递并不重要 - 该传递值不会用于DMARC。 See the discussion here - https://tools.ietf.org/html/rfc7489#section-3.1 请参阅此处的讨论 - https://tools.ietf.org/html/rfc7489#section-3.1
As for DKIM, the other answer is on point. 至于DKIM,另一个答案就是重点。 Verifiers don't generally support 4096 bit keys, and they don't actually have to according to the RFC - https://tools.ietf.org/html/rfc6376#section-3.3.3 验证程序通常不支持4096位密钥,它们实际上不必根据RFC - https://tools.ietf.org/html/rfc6376#section-3.3.3
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.