Why is my opendmarc failing pretty much everything that comes through?

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:

example.com.                    600 IN  MX  1 mail.morpheu5.net.
example.com.                    600 IN  TXT "v=spf1 a mx -all"
_dmarc.example.com.         600 IN  TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; ri=86400"
mail._domainkey.example.com.    600 IN  TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSYXmE/aXew9wcS9dCZFYrPetCRC9rW3vVYRQo980JbC6pXbAkqnUd7ncWkUaQZgF2HKzrspUMklRN35rB1b9iHX3dHnf/gvxSURZPYcKT1DenFt+Vhplv2IuWCNWRSqTuXTXlVOnf+TwWLZayKNq62mCqU09sasP9kHXO5lyIbwIDAQAB"

mail.morpheu5.net is the local host/domain/thing for my postfix, and I'm managing example.com as a virtual domain. I'm running OpenDKIM and OpenDMARC as milters -- SpamAssassin too, but that's working alright.

OpenDKIM is working fine, all the messages get signed correctly and Gmail even shows the little "Signed by: example.com" and confirmation of standard encryption (TLS). In fact, if I inspect the original message, in Gmail, I get the following:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=mail header.b=pixIC2KM;
       spf=pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) [email protected];
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <[email protected]>
Received: from mail.morpheu5.net (mail.morpheu5.net. [79.137.83.28])
        by mx.google.com with ESMTPS id p67-v6si2567899wmd.147.2018.10.31.08.01.43
        for <[email protected]>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 31 Oct 2018 08:01:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) client-ip=79.137.83.28;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=mail header.b=pixIC2KM;
       spf=pass (google.com: domain of [email protected] designates 79.137.83.28 as permitted sender) [email protected];
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com

which, if I read it correctly, tells me that

• my SPF policy is OK (example.com designates mail.morpheu5.net as permitted sender),
• my DKIM signature is valid (sign that OpenDKIM is working fine), and
• my DMARC record is valid and the two previous checks passed.

Further down, if I inspect the headers generated by my own MTA, I see the following

DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 8E8CE100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=mail; t=1540998102; bh=j1p26NHBiJxaCqvB8/JaswqiQuHCsG+QNIkoIUc8B+0=; h=From:Subject:Date:To:From; b=pixIC2KMsLYpq4KQn4gRIJ4wr3Tle+Iaq08lSVdIz82nrKDybFhOivpIrmtpKSXND
     rS4MPn7aNRV2D2KJPqG6Ru2tFAJEaBviC/7BNs2x3mIGlIxv5OzvD2EIvrJSJ8FA9U
     1Uf9YTdWgSF4FdytLD21Jus6dYt4evDc3ZZujvIU=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 8E8CE100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
                                           ^^^^^^^^^^- WHAT?!

That in itself is confusing, because it seems that OpenDMARC is running even for outgoing mail (remember, I sent this message from [email protected] to [email protected]). This however could be because of how I'm running the milter. This is the relevant bit in postfix's main.cf:

smtpd_milters =     inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
non_smtpd_milters = inet:mopsmailer_spamassassin:784 inet:localhost:8893 inet:localhost:8891
                    ^- SpamAssassin                  ^- OpenDMARC        ^- OpenDKIM

I'm open to suggestions on this.

What is really driving me insane, though, is that OpenDMARC is failing pretty much everything that comes in through the door. This is a message I sent from another domain (that I have set up in a similar way to example.com)

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.morpheu5.net ([172.18.0.14])
    by 6c01c2ccb641 with LMTP
    id t10hEf7J2Vu3BQAAl2tFQA
    (envelope-from <[email protected]>)
    for <[email protected]>; Wed, 31 Oct 2018 15:27:58 +0000
Received: from porto.home (host109-154-219-15.range109-154.btcentralplus.com [109.154.219.15])
    (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
    (No client certificate requested)
    by mail.morpheu5.net (Postfix) with ESMTPSA id E0A22100B2EB
    for <[email protected]>; Wed, 31 Oct 2018 15:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net E0A22100B2EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
    s=mail; t=1540999678;
    bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    h=From:Subject:Date:To:From;
    b=ulFaGLYp8hoosllX0rs+byXALUScldP5Of4Sf9/GxuuEqkz5VpCwPHib0TCXQNyqG
     yGqzlgBUoKB2SB0vRqbDW6vb+1UyG971DVeC0WfuRvoe7lKFLFmzD+V25rht/83TKv
     GFhIX2JMMobnw+wS++/6rS/l93/NLlTysiKECSfo=
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net E0A22100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=example.com
From: "example.com" <[email protected]>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: 
Message-Id: <[email protected]>
Date: Wed, 31 Oct 2018 15:27:57 +0000
To: [email protected]

They are both served by the same postfix install, so draw your own conclusions. The only thing I see in the logs is a very laconic

Oct 31 15:27:58 bd85f6a3b2b6 opendmarc[20]: E0A22100B2EB: example.com fail

So I figured I must have screwed up something while delivering the message. I then sent one from my gmail.com address and lo and behold

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.morpheu5.net ([172.18.0.14])
    by 6c01c2ccb641 with LMTP
    id 3P0+CTjL2Vu7BQAAl2tFQA
    (envelope-from <[email protected]>)
    for <[email protected]>; Wed, 31 Oct 2018 15:33:12 +0000
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com [209.85.167.51])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mail.morpheu5.net (Postfix) with ESMTPS id 63728100B2EB
    for <[email protected]>; Wed, 31 Oct 2018 15:33:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net;
    dkim=pass (2048-bit key) header.d=gmail.com [email protected] header.b="Yrnjbum2"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.morpheu5.net 63728100B2EB
Authentication-Results: mail.morpheu5.net; dmarc=fail (p=none dis=none) header.from=gmail.com
Received: by mail-lf1-f51.google.com with SMTP id p86so9773378lfg.5
        for <[email protected]>; Wed, 31 Oct 2018 08:33:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
        b=Yrnjbum25r6EczXzozeQERktfI7380FH3ETaRQ574kjKWdI+gtL337nVsPH34hnkyy
         YZ3XuVBCyKpz2ulXqF6G9ipsk9Hh6cK6P/BGNO9fs1WRrz9U8BImKhiqJBTdv4J+K4Rq
         grpn4buL1q3lRqunfJzSPaTww0DnYPWR89ICeMiyIYGbNYA4uTBQhQm0GUQRMJz6J1Bm
         4FGL9dL2/sgexlOGga3AeP1dHyPoLag9FN2Vbr/nJThqml8BcC4kPdVb1iH4FZoNaTSh
         s4CeTREvW6XLEAVgSz5Q3DgFLR0V4iCuqYxKkkHDYNi1If/agXkbRBigRP6+HUsTw7mM
         8O7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=fxtWSne+bN95BKwPxnuLE2Rr8rvPT03LkPGqL68IQSE=;
        b=MPBwgFcsvJZ9gZbD0n0kfYMKpaHDQ3SkU30o5qVqs9Zwaqu3bTubSDkB+HCHsq8P8A
         6BZN3WARiL9zi9sdxKmvHYBvrf043htR1/jFEr6+1Wr5eO2ULZmKIxdKl609YffDmzM8
         vXXNzIw8pNYvEcaKUW04APzyEG5iEA9B5hrik4ivD9EWC0LHGuVf5jZuFT0LsKuWwydP
         n30LqX6Wra8XjSnbejgeD/m53xDWQpYckArRm6VA7+XqH1W7xnKgxc4MBmeX7gqYQrvV
         nmXMJyJAVtjiW9PXKDIE0SpP9XXryLn3FsguDCCwb46FS3rLJWW7i9SYSDKDb4N6iY3r
         NXUA==
X-Gm-Message-State: AGRZ1gIHySs3xex2WNMp2GByh7QqSOszi85+983Juw7ZJnOEDB28/jma
    iM0XrZTH6QjHeJajn8Zxx3UmFTkgAJ1MdBldxKeKiQ==
X-Google-Smtp-Source: AJdET5dvhrIXWjNNjZ2g5C7dSnHwXF95xuK/26l2o3C8fhT2r034Pos5Z776NyKi6JQvIAXpGCEkKe/WjOMaWWllzCM=
X-Received: by 2002:a19:13cc:: with SMTP id 73mr1902315lft.79.1540999989833;
 Wed, 31 Oct 2018 08:33:09 -0700 (PDT)
MIME-Version: 1.0
From: Andrea Franceschini <[email protected]>
Date: Wed, 31 Oct 2018 15:32:32 +0000
Message-ID: <CACY09wpao6XSxkjzNXytTJ3Z3SCrpnhQkUjoWHJzYd8sS23jmA@mail.gmail.com>
Subject: 
To: [email protected]
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
    DKIM_VALID_AU,DNS_FROM_AHBL_RHSBL,FREEMAIL_FROM,UNPARSEABLE_RELAY,
    URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
X-Spam-Level: **
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on 226c07f01f2b

and this is what shows up in the logs

Oct 31 15:33:12 bd85f6a3b2b6 opendmarc[20]: 63728100B2EB: gmail.com fail

Please also note that SpamAssassin computed a bunch of DKIM scores for this message, while this did not happen before, so... time for more config files!

OpenDKIM to begin with

PidFile             /var/run/opendkim/opendkim.pid
Mode                sv
Syslog              yes
SyslogSuccess       yes
LogWhy              yes
UserID              opendkim:opendkim
Socket              inet:8891@localhost
Umask               002
SendReports         yes
SoftwareHeader      yes
Canonicalization    relaxed/relaxed
Selector            default
MinimumKeyBits      1024
KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts       refile:/etc/opendkim/TrustedHosts
OversignHeaders     From
QueryCache          yes
AutoRestart         Yes

KeyTable seems OK to me

mail._domainkey.unijobs.it unijobs.it:mail:/etc/opendkim/keys/unijobs.it/dkim-private.pem
mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/dkim-private.pem

I also have wildcard signing

*@unijobs.it mail._domainkey.unijobs.it
*@example.com mail._domainkey.example.com

and these as trusted hosts

127.0.0.1
::1
172.17.0.0/16
172.18.0.0/16

OpenDMARC is configured like this

AuthservID      mail.morpheu5.net
HistoryFile     /var/spool/opendmarc/opendmarc.dat
IgnoreHosts     /etc/opendmarc/ignore.hosts
RejectFailures  false
Socket          inet:8893@localhost
SoftwareHeader  true
Syslog          true
UMask           007
UserID          opendmarc:mail

With the following in ignore.hosts

localhost
172.17.0.0/16
172.18.0.0/16

So... why does OpenDMARC fails pretty much everything that comes through the door?

EDIT I ran opendmarc -t on one of these messages and the worst that happens is

opendmarc: mlfi_connect() returned SMFIS_ACCEPT

if I run it with the my custom config file, and

opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: message: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: message: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 2: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 3: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 8: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 13: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 14: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 15: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 16: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 23: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 24: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 26: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 27: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 28: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 29: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 30: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 31: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 34: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 35: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 37: mlfi_header() returned SMFIS_CONTINUE
opendmarc: message: line 38: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=fail (p=none dis=none) header.from=example.com'
opendmarc: message: mlfi_eom() returned SMFIS_ACCEPT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

if I don't specify my custom config file (which is in a weird location because reasons).

EDIT Gmail now passes SPF, DKIM, and eventually opendmarc gives it a pass. Not sure what happened.

EDIT Follow-up: What is wrong with this e-mail which is failing SPF(mailfrom) and DMARC?

see alos [this post] (serverfault.com/questions/923526/…)

Thanks for your answer! I added 127.0.0.1 to the ignored hosts (though I had localhost in there, so that should have been the same). No effect. I also tried setting AuthservID to HOSTNAME (and TrustedAuthservID too, just in case). No effect again. I should also say that, if I enable the SPF check performed by opendmarc itself, that also fails.

that was my 50 cent for the moment...

other than what You already tested ... TrustedAuthservIDs mail.morpheu5.net.

The thing that annoys me greatly is that I can't seem to get any useful debug messages or any kind of information on what exactly is failing. I kind-of got the sense that a hint may be contained in the Authentication-Results headers, but they are hard as hell to read…

Just a silly question: does your mail host use an internal DNS, where the DKIM/SPF/DMARC entries are not available? Or is it another DNS related issue rather than opendmarc config

I'm the mail host, as far as I can tell (I set up my own Postfix/Dovecot cabal). I also control the DNS records, and they are all set up correctly, otherwise I'd be failing tests when, for example, sending to a Gmail address, instead I get all passes. You can check one of my domains (the others are configured more or less the same, save for the signing keys) for example unijobs.it (dkim at mail._domainkey.unijobs.it, dmarc record at _dmarc.unijobs.it).

I just send an e-mail to [email protected] Can you copy the maillog when the DMARC is evaluated? (return to the same sender as in the email)

Tried that too, didn't work, thanks for your suggestion though.

No that happens after checking. You have to read headers bottom to top. Problem that dmarc fails is probably because of wrong order (before dkim) and bad spf results (so to say missing SPF test result). Opendmarc needs at least one if them to succeed.