On Tue 07-06-22 21:06:55, Yu Kuai wrote: > 在 2022/06/07 19:51, Yu Kuai 写道: > > 在 2022/06/07 17:54, Jan Kara 写道: > > > On Tue 07-06-22 11:10:27, Yu Kuai wrote: > > > > 在 2022/05/23 23:25, Jan Kara 写道: > > > > > Hum, for me all emails from Huawei I've received even today > > > > > fail the DKIM > > > > > check. After some more digging there is interesting > > > > > inconsistency in DMARC > > > > > configuration for huawei.com domain. There is DMARC record > > > > > for huawei.com > > > > > like: > > > > > > > > > > huawei.com. 600 IN TXT > > > > > "v=DMARC1;p=none;rua=mailto:dmarc@xxxxxxxxxxxxxx"; > > > > > > > > > > which means no DKIM is required but _dmarc.huawei.com has: > > > > > > > > > > _dmarc.huawei.com. 600 IN TXT "v=DMARC1;p=quarantine;ruf=mailto:dmarc@xxxxxxxxxx;rua=mailto:dmarc@xxxxxxxxxx"; > > > > > > > > > > > > > > > which says that DKIM is required. I guess this inconsistency may be the > > > > > reason why there are problems with DKIM validation for senders from > > > > > huawei.com. Yu Kuai, can you perhaps take this to your IT > > > > > support to fix > > > > > this? Either make sure huawei.com emails get properly signed > > > > > with DKIM or > > > > > remove the 'quarantine' record from _dmarc.huawei.com. Thanks! > > > > > > > > > > Honza > > > > > > > > > Hi, Jan and Jens > > > > > > > > I just got response from our IT support: > > > > > > > > 'fo' is not set in our dmarc configuration(default is 0), which means > > > > SPF and DKIM verify both failed so that emails will end up in spam. > > > > > > > > It right that DKIM verify is failed because there is no signed key, > > > > however, our IT support are curious how SPF verify faild. > > > > > > > > Can you guys please take a look at ip address of sender? So our IT > > > > support can take a look if they miss it from SPF records. > > > > > > So SPF is what makes me receive direct emails from you. For example > > > on this > > > email I can see: > > > > > > Received: from frasgout.his.huawei.com (frasgout.his.huawei.com > > > [185.176.79.56]) > > > (using TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 > > > (128/128 > > > bits)) > > > (No client certificate requested) > > > by smtp-in2.suse.de (Postfix) with ESMTPS id 4LHFjN2L0dzZfj > > > for <jack@xxxxxxx>; Tue, 7 Jun 2022 03:10:32 +0000 (UTC) > > > ... > > > Authentication-Results: smtp-in2.suse.de; > > > dkim=none; > > > dmarc=pass (policy=quarantine) header.from=huawei.com; > > > spf=pass (smtp-in2.suse.de: domain of yukuai3@xxxxxxxxxx > > > designates > > > 185.176.79.56 as permitted sender) > > > smtp.mailfrom=yukuai3@xxxxxxxxxx > > > > > > So indeed frasgout.his.huawei.com is correct outgoing server which makes > > > smtp-in2.suse.de believe the email despite missing DKIM signature. > > > But the > > > problem starts when you send email to a mailing list. Let me take for > > > example your email from June 2 with Message-ID > > > <20220602082129.2805890-1-yukuai3@xxxxxxxxxx>, subject "[PATCH -next] > > > mm/filemap: fix that first page is not mark accessed in filemap_read()". > > > There the mailing list server forwards the email so we have: > > > > > > Received: from smtp-in2.suse.de ([192.168.254.78]) > > > (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 > > > bits)) > > > by dovecot-director2.suse.de with LMTPS > > > id 8MC5NfVvmGIPLwAApTUePA > > > (envelope-from <linux-fsdevel-owner@xxxxxxxxxxxxxxx>) > > > for <jack@xxxxxxxxxxxx>; Thu, 02 Jun 2022 08:08:21 +0000 > > > Received: from out1.vger.email (out1.vger.email > > > [IPv6:2620:137:e000::1:20]) > > > by smtp-in2.suse.de (Postfix) with ESMTP id 4LDJYK5bf0zZg5 > > > for <jack@xxxxxxx>; Thu, 2 Jun 2022 08:08:21 +0000 (UTC) > > > Received: (majordomo@xxxxxxxxxxxxxxx) by vger.kernel.org via listexpand > > > id S232063AbiFBIIM (ORCPT <rfc822;jack@xxxxxxx>); > > > Thu, 2 Jun 2022 04:08:12 -0400 > > > Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56178 "EHLO > > > lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by > > > vger.kernel.org > > > with ESMTP id S232062AbiFBIIL (ORCPT > > > <rfc822;linux-fsdevel@xxxxxxxxxxxxxxx>); > > > Thu, 2 Jun 2022 04:08:11 -0400 > > > Received: from szxga02-in.huawei.com (szxga02-in.huawei.com > > > [45.249.212.188]) > > > by lindbergh.monkeyblade.net (Postfix) with ESMTPS id > > > 75DDB25FE; > > > Thu, 2 Jun 2022 01:08:08 -0700 (PDT) > > > > > > and thus smtp-in2.suse.de complains: > > > > > > Authentication-Results: smtp-in2.suse.de; > > > dkim=none; > > > dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" > > > header.from=huawei.com (policy=quarantine); > > > spf=pass (smtp-in2.suse.de: domain of > > > linux-fsdevel-owner@xxxxxxxxxxxxxxx designates > > > 2620:137:e000::1:20 as > > > permitted sender) > > > smtp.mailfrom=linux-fsdevel-owner@xxxxxxxxxxxxxxx > > > > > > Because now we've got email with "From" header from huawei.com > > > domain from > > > a vger mail server which was forwarding it. So SPF has no chance to match > > > (in fact SPF did pass for the Return-Path header which points to > > > vger.kernel.org but DMARC defines that if "From" and "Return-Path" do not > > > match, additional validation is needed - this is the "SPF not aligned > > > (relaxed)" message above). And missing DKIM (the additional validation > > > method) sends the email to spam. > > > > Thanks a lot for your analysis, afaics, in order to fix the > > problem, either your mail server change the configuration to set > > alignment mode to "relaxed" instead of "strict", or our mail server > > add correct DKIM signature for emails. > > > > I'll contact with our IT support and try to add DKIM signature. > > > > Thanks, > > Kuai > > Hi, Jan > > Our IT support is worried that add DKIM signature will degrade > performance, may I ask that how is your mail server configuation? policy > is quarantine or none, and dkim signature is supportted or not. The DMARC policy (relaxed / quarantine) is not configured on the side of the receiving mail server but on huawei.com side. As I wrote above it is this DMARC record in DNS of huawei.com domain that makes receiving mail servers refuse the email without DKIM signature (if SPF does not match): _dmarc.huawei.com. 600 IN TXT "v=DMARC1;p=quarantine;ruf=mailto:dmarc@xxxxxxxxxx;rua=mailto:dmarc@xxxxxxxxxx"; So if your IT admins do not want to introduce DKIM signatures on outgoing email, they should set policy to 'p=none' in the DMARC DNS record to tell that fact to receiving mail servers. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
