为什么 opendmarc SPF 无法接收该到达消息?

为什么 opendmarc SPF 无法接收该到达消息?

为何此传入消息会失败?

postfix/smtpd[4776]: connect from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]
 postfix/smtpd[4776]: Anonymous TLS connection established from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]: TLSv1.2 with cipher <snip>4 (256/256 bits)
 postfix/smtpd[4776]: 631A5453D55: client=mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]
 postfix/cleanup[4781]: 631A5453D55: message-id=<414<snip>MDC019E7.cnb.Corp.net>
 opendkim[849]: 631A5453D55: mail-mw2nam10on2073.outbound.protection.outlook.com [40.107.94.73] not internal
 opendkim[849]: 631A5453D55: not authenticated
 opendkim[849]: 631A5453D55: DKIM verification successful
 opendmarc[840]: 631A5453D55 ignoring Authentication-Results at 1 from ip-<snip>.ec2.internal
 opendmarc[840]: 631A5453D55: SPF(mailfrom): [email protected] fail
 opendmarc[840]: 631A5453D55: cnb.com fail
 postfix/cleanup[4781]: 631A5453D55: milter-reject: END-OF-MESSAGE from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]: 5.7.1 rejected by DMARC policy for cnb.com; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<NAM10-MW2-obe.outbound.protection.outlook.com>
 postfix/smtpd[4776]: disconnect from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]

看来 cnb.com 的 DNS 具有 MS 在此处提到的正确 MS 记录 (spf.protection.outlook.com): https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-spf-in-office-365-to-help-prevent-spoofing?view=o365-worldwide

 # dig cnb.com txt|grep spf                                                                                                                              
     cnb.com.                290     IN      TXT     "v=spf1 include:spf.protection.outlook.com include:cnb.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
 

它们来自此处 40.107.0.0/16 网络内的 IP:
https://mxtoolbox.com/SuperTool.aspx?action=spf:spf.protection.outlook.com&newAppVersion=1

他们的 SPF 配置是不是出了什么问题,还是我这边出了问题?

答案1

看起来 DNS 查询无法从世界某个地方到达 NS 服务器,失败率接近 8%,这可能与防火墙规则的流量有关,如以下查询所示:

https://atlas.ripe.net/measurements/30167421/#probes

相关内容