[PPPM-7190] DMARC is discarding (successful verified) mails

[danielsausm]

TITLE:

DMARC is discarding (successful verified) mails​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

‪CentOS 6.9 (Final)‬ Plesk Onyx, Version 17.5.3 Update #24​

PROBLEM DESCRIPTION:

When i enable DMARC, some mails get silently lost. even with softfail settings - and from legitmate sender with correct spf dns records.

here an example: coinbase.com

Network Tools: DNS,IP,Email
>v=spf1 include:amazonses.com include:_spf.google.com -all

Oct 10 09:54:57 hostname postfix/smtpd[15342]: connect from a11-132.smtp-out.amazonses.com[54.240.11.132]
Oct 10 09:54:58 hostname postfix/smtpd[15342]: D9AE61C4067F: client=a11-132.smtp-out.amazonses.com[54.240.11.132]
Oct 10 09:54:59 hostname postfix/cleanup[15302]: D9AE61C4067F: message-id=<0100015f05478ca1-2ff1c732-8b12-4a42-8993-dab2098d5d1f-000000@email.amazonses.com>
Oct 10 09:54:59 hostname /usr/lib64/plesk-9.0/psa-pc-remote[15239]: handlers_stderr: SKIP
Oct 10 09:54:59 hostname /usr/lib64/plesk-9.0/psa-pc-remote[15239]: SKIP during call 'limit-out' handler
Oct 10 09:54:59 hostname spf[15419]: Starting the spf filter...
Oct 10 09:54:59 hostname spf[15419]: Error code: (2) Could not find a valid SPF record
Oct 10 09:54:59 hostname spf[15419]: Failed to query guess rules: Could not find a valid SPF record near 'a/24 mx/24 p'
Oct 10 09:54:59 hostname spf[15419]: SPF result: pass
Oct 10 09:54:59 hostname spf[15419]: SPF status: PASS
Oct 10 09:54:59 hostname /usr/lib64/plesk-9.0/psa-pc-remote[15239]: handlers_stderr: PASS
Oct 10 09:54:59 hostname /usr/lib64/plesk-9.0/psa-pc-remote[15239]: PASS during call 'spf' handler
Oct 10 09:54:59 hostname postfix/qmgr[15294]: D9AE61C4067F: from=<0100015f05478ca1-2ff1c732-8b12-4a42-8993-dab2098d5d1f-000000@amazonses.com>, size=6122, nrcpt=1 (queue active)
Oct 10 09:54:59 hostname postfix-local[15420]: postfix-local: from=0100015f05478ca1-2ff1c732-8b12-4a42-8993-dab2098d5d1f-000000@amazonses.com, [email protected], dirname=/var/qmail/mailnames
Oct 10 09:54:59 hostname spamassassin[15421]: Starting the spamassassin filter...
Oct 10 09:54:59 hostname spamd[6795]: spamd: connection from localhost [127.0.0.1] at port 47364
Oct 10 09:54:59 hostname spamd[6795]: spamd: using default config for [email protected]: /var/qmail/mailnames/exampleserver.com/user/.spamassassin/user_prefs
Oct 10 09:54:59 hostname spamd[6795]: spamd: processing message <0100015f05478ca1-2ff1c732-8b12-4a42-8993-dab2098d5d1f-000000@email.amazonses.com> for [email protected]:110
Oct 10 09:54:59 hostname spamd[6795]: spamd: clean message (-0.8/5.5) for [email protected]:110 in 0.2 seconds, 6598 bytes.
Oct 10 09:54:59 hostname spamd[6795]: spamd: result: . 0 - BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_SORBS_SPAM,RP_MATCHES_RCVD,URIBL_BLOCKED scantime=0.2,size=6598,[email protected],uid=110,required_score=5.5,rhost=localhost,raddr=127.0.0.1,rport=47364,mid=<0100015f05478ca1-2ff1c732-8b12-4a42-8993-dab2098d5d1f-000000@email.amazonses.com>,bayes=0.000000,autolearn=no
Oct 10 09:54:59 hostname dk_check[15424]: Starting the dk_check filter...
Oct 10 09:54:59 hostname dk_check[15424]: DKIM verify result: DKIM verification (d=coinbase.com, 1024-bit key) succeeded
Oct 10 09:54:59 hostname dmarc[15425]: Starting the dmarc filter...
Oct 10 09:54:59 hostname spamd[1842]: prefork: child states: II
Oct 10 09:55:00 hostname dmarc[15425]: DMARC: REJECT message for [email protected]
Oct 10 09:55:00 hostname postfix-local[15420]: message discarded by a mail handler
Oct 10 09:55:00 hostname postfix/pipe[15394]: D9AE61C4067F: to=<[email protected]>, relay=plesk_virtual, delay=1.8, delays=0.6/0/0/1.2, dsn=2.0.0, status=sent (delivered via plesk_virtual service)
Oct 10 09:55:00 hostname postfix/qmgr[15294]: D9AE61C4067F: removed​

STEPS TO REPRODUCE:

Enable DMARC, receive Mail from e.g. coinbase.com​

ACTUAL RESULT:

message discarded by a mail handler​

EXPECTED RESULT:

mail should get delivered​

ANY ADDITIONAL INFORMATION:

​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[UFHH01]

Hi danielsausm,

pls. note, that the SPF - settings ( "SPF checking mode" ) are not relevant for DKIM - checks. You either have the option to enable the incoming/outgoing checks, or you might disable them.

Still, there is an existing misbehaviour, if a SPF check fails, but ( valid ) DMARK - records are set to "reject" as policies for "p" and "sp" for a domain. The current existing bug - report with the ID "PPPM-7190" has already been created and a fix is planned in Plesk future updates.

Pls. consider to use the provided ( temporary ) resolution at: => Email from Plesk administrator is rejected: DMARC: REJECT message

 

[danielsausm]

Hi UFHH01,

thanks for your reply.

- I think the spf check is wrong - i double checked the spf entrys (here from coinbase.com) - and they seem correct e.g. have a look via mxtoolbox.
Network Tools: DNS,IP,Email
->SPF for Coinbase is "v=spf1 include:amazonses.com include:_spf.google.com -all" and the mail is originated from @email.amazonses.com

for the temporary solution -> i dont know which senders will get blocked - so i cannot whitelist them and dmarc cannot be enabled.

So I think there might be a second problem(spf check).
You might have a look.

thanks in advance

Greetings vom Mannheim
daniel

 

[UFHH01]

Hi danielsausm,

for the temporary solution -> i dont know which senders will get blocked - so i cannot whitelist them and dmarc cannot be enabled.

In this case, I can only recommend to switch off DMARC checks, for the time that we will wait for the fix.