On Tue 07-06-22 11:10:27, Yu Kuai wrote:
在 2022/05/23 23:25, Jan Kara 写道:
Hum, for me all emails from Huawei I've received even today fail the
DKIM
check. After some more digging there is interesting inconsistency in
DMARC
configuration for huawei.com domain. There is DMARC record for
huawei.com
like:
huawei.com. 600 IN TXT
"v=DMARC1;p=none;rua=mailto:dmarc@xxxxxxxxxxxxxx"
which means no DKIM is required but _dmarc.huawei.com has:
_dmarc.huawei.com. 600 IN TXT
"v=DMARC1;p=quarantine;ruf=mailto:dmarc@xxxxxxxxxx;rua=mailto:dmarc@xxxxxxxxxx"
which says that DKIM is required. I guess this inconsistency may be the
reason why there are problems with DKIM validation for senders from
huawei.com. Yu Kuai, can you perhaps take this to your IT support to
fix
this? Either make sure huawei.com emails get properly signed with
DKIM or
remove the 'quarantine' record from _dmarc.huawei.com. Thanks!
Honza
Hi, Jan and Jens
I just got response from our IT support:
'fo' is not set in our dmarc configuration(default is 0), which means
SPF and DKIM verify both failed so that emails will end up in spam.
It right that DKIM verify is failed because there is no signed key,
however, our IT support are curious how SPF verify faild.
Can you guys please take a look at ip address of sender? So our IT
support can take a look if they miss it from SPF records.
So SPF is what makes me receive direct emails from you. For example on
this
email I can see:
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com
[185.176.79.56])
(using TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256
(128/128
bits))
(No client certificate requested)
by smtp-in2.suse.de (Postfix) with ESMTPS id 4LHFjN2L0dzZfj
for <jack@xxxxxxx>; Tue, 7 Jun 2022 03:10:32 +0000 (UTC)
...
Authentication-Results: smtp-in2.suse.de;
dkim=none;
dmarc=pass (policy=quarantine) header.from=huawei.com;
spf=pass (smtp-in2.suse.de: domain of yukuai3@xxxxxxxxxx
designates
185.176.79.56 as permitted sender)
smtp.mailfrom=yukuai3@xxxxxxxxxx
So indeed frasgout.his.huawei.com is correct outgoing server which makes
smtp-in2.suse.de believe the email despite missing DKIM signature. But
the
problem starts when you send email to a mailing list. Let me take for
example your email from June 2 with Message-ID
<20220602082129.2805890-1-yukuai3@xxxxxxxxxx>, subject "[PATCH -next]
mm/filemap: fix that first page is not mark accessed in filemap_read()".
There the mailing list server forwards the email so we have:
Received: from smtp-in2.suse.de ([192.168.254.78])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256
bits))
by dovecot-director2.suse.de with LMTPS
id 8MC5NfVvmGIPLwAApTUePA
(envelope-from <linux-fsdevel-owner@xxxxxxxxxxxxxxx>)
for <jack@xxxxxxxxxxxx>; Thu, 02 Jun 2022 08:08:21 +0000
Received: from out1.vger.email (out1.vger.email
[IPv6:2620:137:e000::1:20])
by smtp-in2.suse.de (Postfix) with ESMTP id 4LDJYK5bf0zZg5
for <jack@xxxxxxx>; Thu, 2 Jun 2022 08:08:21 +0000 (UTC)
Received: (majordomo@xxxxxxxxxxxxxxx) by vger.kernel.org via listexpand
id S232063AbiFBIIM (ORCPT <rfc822;jack@xxxxxxx>);
Thu, 2 Jun 2022 04:08:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56178 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
vger.kernel.org
with ESMTP id S232062AbiFBIIL (ORCPT
<rfc822;linux-fsdevel@xxxxxxxxxxxxxxx>);
Thu, 2 Jun 2022 04:08:11 -0400
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com
[45.249.212.188])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id
75DDB25FE;
Thu, 2 Jun 2022 01:08:08 -0700 (PDT)
and thus smtp-in2.suse.de complains:
Authentication-Results: smtp-in2.suse.de;
dkim=none;
dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM"
header.from=huawei.com (policy=quarantine);
spf=pass (smtp-in2.suse.de: domain of
linux-fsdevel-owner@xxxxxxxxxxxxxxx designates
2620:137:e000::1:20 as
permitted sender)
smtp.mailfrom=linux-fsdevel-owner@xxxxxxxxxxxxxxx
Because now we've got email with "From" header from huawei.com domain
from
a vger mail server which was forwarding it. So SPF has no chance to match
(in fact SPF did pass for the Return-Path header which points to
vger.kernel.org but DMARC defines that if "From" and "Return-Path" do not
match, additional validation is needed - this is the "SPF not aligned
(relaxed)" message above). And missing DKIM (the additional validation
method) sends the email to spam.