为什么 opendmarc 拒绝来自 firefox.com 的邮件?看起来他们的 SPF 记录与他们的发送地址相匹配并且确实通过了:
v=spf1 mx a include:amazonses.com include:mail.zendesk.com -all
/var/log/邮件日志:
postfix/smtpd[19221]: connect from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]
postfix/smtpd[19221]: Anonymous TLS connection established from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
postfix/smtpd[19221]: 559B1453AE7: client=a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]
postfix/cleanup[19242]: 559B1453AE7: message-id=<01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com>
opendkim[25641]: 559B1453AE7: a59-48.smtp-out.us-west-2.amazonses.com [54.240.59.48] not internal
opendkim[25641]: 559B1453AE7: not authenticated
opendkim[25641]: 559B1453AE7: message has signatures from firefox.com, amazonses.com
opendkim[25641]: 559B1453AE7: DKIM verification successful
opendmarc[25631]: 559B1453AE7 ignoring Authentication-Results at 1 from ip-172-31-2-211.ec2.internal
opendmarc[25631]: 559B1453AE7: SPF(mailfrom): 01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com pass
opendmarc[25631]: 559B1453AE7: **firefox.com fail**
postfix/cleanup[19242]: 559B1453AE7: milter-reject: END-OF-MESSAGE from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]: 5.7.1 rejected by DMARC policy for firefox.com; from=<01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com> to=<[email protected]> proto=ESMTP helo=<a59-48.smtp-out.us-west-2.amazonses.com>
答案1
在DMARC关于哪些地址很重要的规则被描述为标识符对齐,并描述的方式防晒指数-authenticated 域必须与域匹配从-标题。
您正在查看的邮件日志不是对齐从这个意义上来说,我可以从你的开放的马克记录您收到的邮件已检查是否与之一致firefox.com- 但上面的 SPF 授权指的是.amazonses.com。
我无法从你的日志中确定地判断另一种方法到底发生了什么,密钥管理信息系统。您可以通过接收来自已知良好发件人的邮件并查看标题来最好地找出这一点Authentication-Results:。我怀疑被忽略标题来自ip-172-31-2-211.ec2.internal您的,在那里 opendkim 和 opendmarc 可能应该被配置为使用一些全局唯一的(172.16.0.0/12不是)的东西,比如您的 MX FQDN。