Email

我是否需要調整我的 DMARC 設置(最終傳遞時 SPF 對齊失敗)?

  • May 3, 2021

我已經收到了我的第一份(有史以來!)DMARC 取證報告,我不確定這是否意味著我應該設置不同的東西,或者這是否是理想的行為,或者它是否不受歡迎但沒有什麼可做的。

實際報告說

Feedback-Type: auth-failure
User-Agent: szn-mime/2.0.46
Version: 1
Original-Mail-From: cwr@cwrichardson.com
Original-Rcpt-To: maru.sucha@seznam.cz
Source-Ip: 2a00:1450:4864:20::348
Reported-Domain: cwrichardson.com
Authentication-Results: email.seznam.cz 1;
   spf_align=fail;
   dkim_align=pass
Delivery-Result: delivered

查看返回的標頭,我猜在我發送電子郵件的位置 (@skolaseiferta.cz) 和收件人的實際電子郵件地址 (@seznam.cz) 之間發生了一些內部轉發/別名。Google中間有一堆東西,看起來一切(SPF、DKIM、DMARC)都在通過。我有模糊的回憶,我在某個地方讀過,有時Google在不更新標題的情況下轉發,這會導致問題。也許這就是這裡發生的事情,但我的核心問題是,這種失敗(SPF 對齊;但傳遞的消息)是否表明我配置錯誤,如果是,我應該改變什麼?

這是取證報告中報告的最終標題:

Received: from mail-wm1-x348.google.com (mail-wm1-x348.google.com [2a00:1450:4864:20::348])
   by email-smtpd17.ko.seznam.cz (Seznam SMTPD 1.3.125) with ESMTP;
   Wed, 21 Apr 2021 21:28:04 +0200 (CEST)  
Received: by mail-wm1-x348.google.com with SMTP id j128-20020a1c55860000b02901384b712094so754950wmb.2
      for <maru.sucha@seznam.cz>; Wed, 21 Apr 2021 12:28:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=1e100.net; s=20161025;
      h=x-gm-message-state:dkim-filter:dkim-signature:from:message-id
       :mime-version:subject:date:in-reply-to:cc:to:references:delivered-to;
      bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
      b=OmOkt9uiFimeL2nbIAnz89lXQh6/L47XxRfQcpkktf1KCjK1csYPs/I5UxzzgBxXDL
       QbkfBy3W6l6txQfM+E821xvBU63wXirBdbN8Gxo3Ldw6dQvZ+6uzatuCkEeFVHL6KO6H
       E1O27CVqbz6bhqvaDKEgZRItL6bSAO3OhprafiZk6Yhqr170cAKArDzfTyFgvXX4FGfI
       MFr/1BqM3VQnEyPRBRTiF5i4h1ZxRhnSUvcDH900v+7RN4AZ7+XLAcWjGfHBmWWHea6J
       GV14l7zl22LLRRGIhSaxP+L8qzSG6GM+NRFRJIA8OEfTHkpTXTI1q1aMzLRWIefkMFK/
       C9iQ==
X-Gm-Message-State: AOAM531OlI1F9zTh1HsZoHNZWRw2CRCcaLXZmaWuT10mdobzsf1XdbXR
   jVsZvqhPh/16vPkDdJdHwZdNzDTJ7CYTnntl2W3Ylv1iWfO45ExY/3J5H2S8LMTc9m/Vg1HzH9N
   unIJoFt2ngq8JpN5PRnXe3TbNIRVN5ypsMMYp9rWdDmXRlI/X3Q==
X-Received: by 2002:a5d:47c1:: with SMTP id o1mr27285827wrc.216.1619033282566;
      Wed, 21 Apr 2021 12:28:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxghHJgfoFCadI4rf70xN3TaKsadvCo5viffMf7GjVOMzjZImFo2jdnWEOn8V+OIxc8YVlx
X-Received: by 2002:a5d:47c1:: with SMTP id o1mr27285733wrc.216.1619033281236;
      Wed, 21 Apr 2021 12:28:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619033281; cv=none;
      d=google.com; s=arc-20160816;
      b=i9HgJPQWyJQaj9eHYTRTLX30VfCcgk3coymQyyGzs3jKpMtoTGTSkTJoakmG4kpamB
       HBf9tf6FdxKZK1EPYUhu2HoIB99JSwU5/hm7+LjM9izktRYp12apYf37Q1XqUqWXXJkx
       iUUEVpjE33D6TmhklEOw6HZaSK+GI+AYESoUkIWuqJLG95+5gt2Ckq21Xs3zGw57m5vE
       pkusUkEKxR/8UOrFag6U4OLMr6ydy/oUNtQhUiAr2imI2qYUbMCoGpwDiIm4NI6n7Wtx
       WSTvKGZymXugiv51qBlmtL0u5U3dNTVTtJSKr2Vo4oDIQBIZaw1hm2oudeLPOvmdwSP0
       YfGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
      h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
       :from:dkim-signature:dkim-filter;
      bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
      b=R3Rk9Xazyo8BwHtxFEETi3RxVnAMqd8aFzNgQYVSQ7eTSEFbkxquX3YWP5blsnu7el
       GinyOV6vxvBuRJpZOgx+7+zgT4os0xGP7naNBG8kyMBuFjvTTvt/g592KmZj0RurQezb
       lspa6TLQ+x1wpysKvlg7Dy0VKFhfAkww8vXDNNbaJuC/YlBFNGab+x2B2FLtrITIxR6B
       OyOpCsX2MvbXtuRikXRgzkvm5DWVqyt6XFH/a3kw9PvbzR23eEmX/OMZe/g+W9ZW8O7D
       /hbimfG2OjKsOAFOCX1yeUUlV0M2hdphi3yI3zSOgoqpTgQfieaHCm9LtkuYAmBBoFH7
       nuDw==
ARC-Authentication-Results: i=1; mx.google.com;
     dkim=pass header.i=@cwrichardson.com header.s=default header.b=rKVHfdcx;
     spf=pass (google.com: domain of cwr@cwrichardson.com designates 54.93.189.174 as permitted sender) smtp.mailfrom=cwr@cwrichardson.com;
     dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cwrichardson.com
Return-Path: <cwr@cwrichardson.com>
Received: from mercury.mirovoysales.com (mercury.mirovoysales.com. [54.93.189.174])
      by mx.google.com with ESMTP id r5si462898wrl.256.2021.04.21.12.28.00;
      Wed, 21 Apr 2021 12:28:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of cwr@cwrichardson.com designates 54.93.189.174 as permitted sender) client-ip=54.93.189.174;
Authentication-Results: mx.google.com;
     dkim=pass header.i=@cwrichardson.com header.s=default header.b=rKVHfdcx;
     spf=pass (google.com: domain of cwr@cwrichardson.com designates 54.93.189.174 as permitted sender) smtp.mailfrom=cwr@cwrichardson.com;
     dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cwrichardson.com
Received: from localhost (unknown [127.0.0.1])
   by mercury.mirovoysales.com (Postfix) with ESMTP id EF3C88004B;
   Wed, 21 Apr 2021 19:27:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at example.com
Received: from mercury.mirovoysales.com ([127.0.0.1])
   by localhost (ip-10-0-200-85.eu-central-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024)
   with ESMTP id wQKPlvH_4S8m; Wed, 21 Apr 2021 19:27:57 +0000 (UTC)
Received: from [192.168.1.2] (213.121.broadband6.iol.cz [88.101.121.213])
   (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
   (No client certificate requested)
   by mercury.mirovoysales.com (Postfix) with ESMTPSA id 3A67080037;
   Wed, 21 Apr 2021 19:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mercury.mirovoysales.com 3A67080037
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cwrichardson.com;
   s=default; t=1619033277;
   bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
   h=From:Subject:Date:In-Reply-To:Cc:To:References:From;
   b=rKVHfdcxSd1ZhsD1G1X5jvil3lpme2V8tNU+3D0PgdBklG/uYMEdRFVOjr6vqkp9y
    GhZa5D1MVyG1Zd/OZ8v7OZ6x2YZsObnWz92Q5B+X1H5lvbD7/1K9AuNAVmMMmWdlMl
    EY7thbBBQyT1f7j4TvHJTwuJx2JZszR1BjlGoEiY=
From: Christopher Richardson <cwr@cwrichardson.com>
Message-Id: <F670ECB5-9957-4288-8D0B-FB5D54B4F523@cwrichardson.com>
Content-Type: multipart/alternative;
   boundary="Apple-Mail=_4FC50147-75FE-4FDF-B8EC-F651F9EF7F63"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Subject: =?utf-8?B?UmU6IMWha29sYSB2IHDFmcOtcm9kxJs=?=
Date: Wed, 21 Apr 2021 21:27:56 +0200
In-Reply-To: <C81CB58C-CAD1-4A07-BDAD-76E1DC7A83D1@gmail.com>
Cc: Sarah Richardson <ssghotane@gmail.com>,
sucha@skolaseiferta.cz
To: pfauserova@skolaseiferta.cz
References: <CAOSANHi3e3EPsdvvBU5sh_r3T5h+m8+4Mmwsek=ZxHj3rmEaZQ@mail.gmail.com>
<C81CB58C-CAD1-4A07-BDAD-76E1DC7A83D1@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Delivered-To: sucha@skolaseiferta.czArrival-Date: Wed, 21 Apr 2021 21:28:10 +0200 (CEST)
Reporting-MTA: dns; email.seznam.cz

Final-Recipient: rfc822; forensicreports@mirovoysales.com
Status: 2.0.0
Diagnostic-Code: x-uknown;
Action: x-unknown
Original-Recipient: rfc822; maru.sucha@seznam.cz

要實現 DMARC 合規性,必須對齊 SPF 或 DKIM 所以我不明白你為什麼收到這份取證報告——據我了解 DMARC 系統,這條消息是合規的,因為 DKIM 通過了對齊測試據我所知,這條消息是符合 DMARC 的——通常你不會得到取證報告,但有一個設置要求報告,即使任何機制失敗(感謝@anx 提供此資訊 - 對我來說是新的!)。該報告還在最後一行告訴您消息已送達 - 因此這裡沒有拒絕或隔離。

轉發是 DMARC 的一個已知問題,因為標頭中的發件人地址可能不匹配。通常,如果郵件網關檢測到不符合 DMARC 的郵件並且由於標頭中的特定提示而“看起來已轉發”,則網關可以讓該郵件通過 - 即使 SPFDKIM 失敗 -請參閱 DMARC Policy Overrides

引用自:https://serverfault.com/questions/1061686