Is smartermails DMARC check faulty or is yahoo really failing DMARC on their CFL emails??

Problem reported by David Maggard - 7/11/2015 at 6:20 PM

Submitted

I am currently jumping thru the hoops of setting up feedback loops because we just moved our servers and have new IP's. As part of the process I am trying to join yahoos version they call CFL, as part of the enrollment they send an email with a verification code you put in a form to proceed, after waiting a long time assuming the email was delayed due to grey listing I checked the SM logs and found this:
rsp: 220 mail.MYDOMAIN.com
connected at 7/11/2015 3:29:04 PM
cmd: EHLO n1-vm10.bullet.mail.gq1.yahoo.com
rsp: 250-mail.MYDOMAIN.com Hello [216.39.62.188]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
cmd: STARTTLS
rsp: 220 Start TLS negotiation
cmd: EHLO n1-vm10.bullet.mail.gq1.yahoo.com
rsp: 250-mail.MYDOMAIN.com Hello [216.39.62.188]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
cmd: MAIL FROM:<abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwgy2tamjugm-postmaster=MYDOMAIN.com@returns.bulk.yahoo.com>
rsp: 250 OK <abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwgy2tamjugm-postmaster=MYDOMAIN.com@returns.bulk.yahoo.com> Sender ok
cmd: RCPT TO:<postmaster@MYDOMAIN.com>
rsp: 250 OK <postmaster@MYDOMAIN.com> Recipient ok
cmd: DATA
rsp: 354 Start mail input; end with <CRLF>.<CRLF>
rsp: 550 Message rejected due to senders DMARC policy
A trace of the DMARC processing follows.
Beginning DMARC check for abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwgy2tamjugm-postmaster=MYDOMAIN.com@returns.bulk.yahoo.com from IP 216.39.62.188...
The from field for the message is "yahoo-account-services-us@cc.yahoo-inc.com". Will look for DMARC policy record at _dmarc.cc.yahoo-inc.com
Retrieved the following DMARC policy record for "cc.yahoo-inc.com": v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-rua@yahoo-inc.com;
DMARC policy violated due a bad DKIM signature.
Data transfer succeeded but message rejected by DMARC
cmd: RSET
rsp: 250 OK
cmd: QUIT
rsp: 221 Service closing transmission channel
disconnected at 7/11/2015 3:29:07 PM

I disabled dmarc temporarily to allow the message in and had it resent and got a message with the following headers:
Return-Path: <abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwgy2tanzqgm-postmaster=MYDOMAIN.com@returns.bulk.yahoo.com>
Received: from n10-vm7.bullet.mail.gq1.yahoo.com (n10-vm7.bullet.mail.gq1.yahoo.com [216.39.62.81]) by mail.MYDOMAIN.com with SMTP
(version=TLS\Tls
cipher=Aes256 bits=256);
Sat, 11 Jul 2015 15:38:25 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cc.yahoo-inc.com; s=fz10; t=1436650703; bh=sfDmFAY4P+K9B9D+c2/NRencijVhzkblp31EEye/bis=; h=To:From:Reply-To:Date:Subject:From:Subject; b=fg3aDvd5cR5IO3ygJ8vH239cWFBDEWCpRfJthcTKRXeut+N32c+SYGlBRgimo4c5eOXP68P2tPn+beOo2aYFDJPOKNSClt4pWFciy41b2cdkhltucJ2beETm9se0voh39jtS4mDJePrSYj4ScDR6ZPxBldcdVSZo6D9ThnPMD88=
Received: from [216.39.60.189] by n10.bullet.mail.gq1.yahoo.com with NNFMP; 11 Jul 2015 21:38:23 -0000
Received: from [10.210.195.112] by t5.bullet.mail.gq1.yahoo.com with NNFMP; 11 Jul 2015 21:38:23 -0000
Received: from [127.0.0.1] by c61.ah.gq1.yahoo.com with NNFMP; 11 Jul 2015 21:38:23 -0000
To: postmaster@MYDOMAIN.com
From: yahoo-account-services-us@cc.yahoo-inc.com
Reply-To: yahoo-account-services-us@cc.yahoo-inc.com
Date: 11 Jul 2015 21:38:23
Sender: yahoo-account-services-us@cc.yahoo-inc.com
X-Yahoo-Newman-Property: abuse
X-Yahoo-Newman-Id: c5.ah.yahoo.com-1436650703
Content-Type: multipart/alternative; boundary="==MULTIPART_BOUNDARY_6e7a10ecf1b90f41e6bc932e27085ed4"
Subject: Yahoo email verification code
Message-ID: <a58bc7e2077a4d06ae628bda039dd03c@com>
X-SmarterMail-Spam: SPF_Pass, Bayesian Filtering, Commtouch 0 [value: Unknown], ISpamAssassin 6 [raw: 3], DK_None, DKIM_Pass, Custom Rules []
X-CTCH-RefId: str=0001.0A090205.55A18CD4.008F,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=512
X-SmarterMail-TotalSpamWeight: 16

According to that SPF and DKIM both passed, so I am a bit confused but have a hard time believing that yahoo is failing dmarc on emails the postmaster system is sending out.

20 Replies

Reply to Thread

Bruce Barnes Replied

7/11/2015 at 6:30 PM

Setup an account at unlocktheinbox.com and then send an e-mail from the failing domain to mailtest@unlocktheinbox.com

Unlocktheinbox.com will run tests on everything and send your results back, giving you a detailed analysis of your configuration and telling you exactly what you need to do to become compliant.

Remember to setup FEEDBACK LOOPS for all of your hosted domains, too.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

David Maggard Replied

7/11/2015 at 6:54 PM

My SPF, domainkeys, dkim, senderid, and dmarc are all setup and fully tested, this is a problem with INCOMING mail to me/my server from the signup for yahoo's CFL( https://help.yahoo.com/kb/SLN3438.html ).

Yahoo is the only FBL I don't have setup, I saved it for last since it is per domain rather than IP based, but if I can't evenn get the signup emails without disabling the DMARC policy compliance check it's going to mean leaving it off until I get all the domains added to yahoo's FBL.

David Maggard Replied

7/11/2015 at 6:55 PM

Maybe you could try out their signup form and see if you get the "Yahoo email verification code" emails thru your smartermail & DMARC.

David Maggard Replied

7/11/2015 at 7:03 PM

Any chance SM 13.2 has any dmarc bugs, planning to upgrade at the end of the month but would do it early if it would help the issue.

David Maggard Replied

7/11/2015 at 7:04 PM

http://cdn.bleedingcool.net/wp-content/uploads/2015/03/leia-r2d2.jpg

Help me Barnes-wan, your my only hope. :)

Scarab Replied

7/13/2015 at 1:08 PM

Yes, Yahoo!'s SPF Record is broken, and since they have a restrictive "Reject" DMARC Policy your SmarterMail server is doing precisely what Yahoo! is telling Mail Servers to do.

The problem is that their SPF Record is non-compliant. The SPF Record for yahoo.com is a redirect to _spf.mail.yahoo.com. The SPF Record for _spf.mail.yahoo.com is "v=spf1 ptr:yahoo.com ptr:yahoo.net ?all". According to IETF RFC 7208 Section 5.5 PTR mechanisms SHOULD NOT be used in SPF Records. (see http://tools.ietf.org/html/rfc7208#section-5.5). This SPF record results in 0 authorized netblocks and 0 authorized individual IPv4 addresses that could produce a SPF "pass" result.

The only way around this would be to either disable DMARC checking or whitelist Yahoo! (either way would result in a significant amount of collateral spam).

POST-SCRIPT: As of April 2014 the use of a PTR in a SPF Record is considered deprecated and strongly discouraged for public SPF records, but compliant SPF check_host() implementations are still supposed to support it which apparently SmarterMail (and many others that do SPF Record checks) either no longer do, or timeout before the PTR check is resolved by root DNS servers, resulting in a SPF "soft-fail". (As PTR lookups are slow and produce a heavy burden on root DNS servers this is the reason their use in SPF Records was deprecated in the first place.)

Scarab Replied

7/13/2015 at 4:41 PM

Additional Note: The second email came from a yahoo-inc.com address which uses a different SPF Record that is setup correctly, resulting in a SPF "Pass" which would have resulted in it passing the restrictive "Reject" DMARC Policy for yahoo-inc.com even if you hadn't turned off DMARC Policy.

Miguel Enrique Replied

7/14/2015 at 1:21 AM

Hello,

The problem is not just with Yahoo. I have hundreds of rejections per day. Some customers complain about not receiving notifications of transport agencies.

With "DMARC policy violated due a bad DKIM signature.":
dhl.com
yahoo.com
fedex.com
news.decathlon.es

Others:

"DMARC policy violated due to DKIM domain ("amazonses.com") not belonging to the same parent domain as the from address field domain ("dropboxmail.com")."

I'll have to disable DMARC if I find a solution.

What do the rest of SmarterMail customers?
Do not activate DMARC?
Do not listen to user complaints?

David Maggard Replied

7/14/2015 at 8:42 AM

I turned on dmarc months ago based on the recommendation of Bruce Barnes( If you don't know, he is The Man when it comes to SM ), this is the first time I have had an issue with dmarc, the one nice thing is that with the weighting of blacklists, and DKIM failures, etc is on you, but dmarc is TOTALLY on them, they publish a dmarc policy telling you to reject the mail, that provides a lot of cover. I just find it odd that big names would publish dmarc then not follow it.

Scarab Replied

7/14/2015 at 10:09 AM

I can confirm a similar problem with Fedex.com. They have a restrictive "Reject" DMARC policy as well, but many of their Mail Servers use Gateway MXs that are not included the published SPF Record for their domain. It's definitely not a problem with DMARC as the system is doing precisely as it should, it is just that Fedex.com should either

a.) update their SPF Record when adding new Gateway MXs or
b.) not use a restrictive "Reject" DMARC policy and should only used "Quarantine".

However, with someone as big as Yahoo! and FedEx (and it wouldn't surprise me if there is a number of large corporations that don't always pass their own DMARC policy) what can you do? The proper solution would be for those domains to fix their broken policies. However, for the rest of us who have to deal with upset customers the only viable option is to disable DMARC checking entirely.

It would be nice to have a DMARC Bypass/Whitelist in SmarterMail that will skip DMARC Checking for defined domains, as that seems to the only happy medium.

Bruce Barnes Replied

7/14/2015 at 12:13 PM

With regard to the question, "Is smartermails DMARC check faulty or is yahoo really failing DMARC on their CFL emails?" I just checked this issue by sending two e-mail messages:

- one from a YAHOO! test account at chicagonettech@yahoo.com, and

- the other from FedEX - for a package delivery.

to our ChicagoNetTech.com SmarterMail Enterprise Edition: Version 14.0.5661.20114 server.

Both were properly received. Here are the delivery logs and headers:

from: chicagonettech@yahoo.com

to: bbarnes@chicagonettech.com

Before posting the results, these are my security settings:

SRS ENABLED / DMARC CHECKING ENABLED

Here is the YAHOO.COM! SMTP IN transaction log:

[2015.07.14] 12:58:04 [98.138.90.63][45863490] rsp: 220 securemail.chicagonettech.com  Tue, 14 Jul 2015 17:58:04 +0000 UTC | SmarterMail Enterprise 14.0.5661.20114
[2015.07.14] 12:58:04 [98.138.90.63][45863490] connected at 7/14/2015 12:58:04 PM
[2015.07.14] 12:58:04 [98.138.90.63][45863490] cmd: EHLO nm29-vm1.bullet.mail.ne1.yahoo.com
[2015.07.14] 12:58:04 [98.138.90.63][45863490] rsp: 250-securemail.chicagonettech.com Hello [98.138.90.63]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.07.14] 12:58:04 [98.138.90.63][45863490] cmd: STARTTLS
[2015.07.14] 12:58:04 [98.138.90.63][45863490] rsp: 220 Start TLS negotiation[2015.07.14] 12:58:05 [98.138.90.63][45863490] cmd: EHLO nm29-vm1.bullet.mail.ne1.yahoo.com
[2015.07.14] 12:58:05 [98.138.90.63][45863490] rsp: 250-securemail.chicagonettech.com Hello [98.138.90.63]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.07.14] 12:58:05 [98.138.90.63][45863490] cmd: MAIL FROM:<chicagonettech@yahoo.com>[2015.07.14] 12:58:06 [98.138.90.63][45863490] rsp: 250 OK <chicagonettech@yahoo.com> Sender ok
[2015.07.14] 12:58:06 [98.138.90.63][45863490] cmd: RCPT TO:<bbarnes@chicagonettech.com>[2015.07.14] 12:58:06 [98.138.90.63][45863490] rsp: 250 OK <bbarnes@chicagonettech.com> Recipient ok
[2015.07.14] 12:58:06 [98.138.90.63][45863490] cmd: DATA
[2015.07.14] 12:58:06 [98.138.90.63][45863490] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.07.14] 12:58:07 [98.138.90.63][45863490] rsp: 250 OK
[2015.07.14] 12:58:07 [98.138.90.63][45863490] Data transfer succeeded, writing mail to 98274177.eml
[2015.07.14] 12:58:07 [98.138.90.63][45863490] cmd: QUIT[2015.07.14] 12:58:07 [98.138.90.63][45863490] rsp: 221 Service closing transmission channel
[2015.07.14] 12:58:07 [98.138.90.63][45863490] disconnected at 7/14/2015 12:58:07 PM

Here is the YAHOO.COM! DELIVERY transaction log:

[2015.07.14] 12:58:08 [74177] Delivery started for chicagonettech@yahoo.com at 12:58:08 PM
[2015.07.14] 12:58:15 [74177] Spam check results: 
                (formatting added to make readability easier)
 - [_SPF: Pass], 
 - [BARRACUDA - BRBL: passed], 
 - [CBL - ABUSE SEAT - DO NOT USE FOR OUTGOING!: passed], 
 - [HOSTKARMA - BLACKLIST: passed], 
 - [MAILSPIKE Z: passed], 
 - [RFC2 REALTIME LIST: passed], 
 - [SORBS 02 - HTTP: passed], 
 - [SORBS 03 - SOCKS: passed], 
 - [SORBS 05 - SMTP: passed], 
 - [SORBS 08 - BLOCK: passed], 
 - [SORBS 09 - ZOMBIE: passed], 
 - [SORBS 11 - BAD CONFIG: passed], 
 - [SORBS 12 - NOMAIL: passed], 
 - [SORBS 13 - NO SERVER: passed], 
 - [SPAMCOP: passed], 
 - [SPAMHAUS - PBL 1: passed], 
 - [SPAMHAUS - PBL 2: passed], 
 - [SPAMHAUS - SBL 1: passed], 
 - [SPAMHAUS - SBL 2: passed], 
 - [SPAMHAUS - XBL 1: passed], 
 - [SPAMHAUS - XBL 2: passed], 
 - [SPAMHAUS - XBL 3: passed], 
 - [SPAMHAUS - XBL 4: passed], 
 - [SPAMHAUS ZEN: passed], 
 - [SPAMRATS: passed], 
 - [SURRIEL: passed], 
 - [VIRUS RBL - MSRBL: passed], 
 - [_REVERSEDNSLOOKUP: passed], 
 - [_BAYESIANFILTERING: passed], 
 - [_DK: None], 
 - [_DKIM: Pass], 
 - [NOABUSE: passed], 
 - [NOPOSTMASTER: passed], 
 - [SEM-URIBL: passed], 
 - [SORBS 04 - MISC: passed], 
 - [SORBS 06 - RECENT: passed], 
 - [SORBS 07 - WEB: passed], 
 - [SORBS 10 - DYNAMIC IP: passed], 
 - [SURBL - ABUSE BUSTER: passed], 
 - [SURBL - JWSPAMSPY: passed], 
 - [SURBL - MALWARE: passed], 
 - [SURBL - PHISHING: passed], 
 - [SURBL - SA BLACKLIST: passed], 
 - [SURBL - SPAMCOP WEB: passed], 
 - [UCEPROTECT LEVEL 1: passed], 
 - [UCEPROTECT LEVEL 2: passed], 
 - [UCEPROTECT LEVEL 3: passed], 
 - [URIBL - BLACK: passed], 
 - [URIBL - GREY: passed], 
 - [URIBL - MULTI: passed], 
 - [URIBL - RED: passed]

[2015.07.14] 12:58:17 [74177] Starting local delivery to bbarnes@chicagonettech.com
[2015.07.14] 12:58:17 [74177] Delivery for chicagonettech@yahoo.com to bbarnes@chicagonettech.com has completed (Delivered) Filter: None
[2015.07.14] 12:58:17 [74177] End delivery to bbarnes@chicagonettech.com
[2015.07.14] 12:58:17 [74177] Delivery finished for chicagonettech@yahoo.com at 12:58:17 PM    [id:98274177]

Here is the YAHOO.COM! | MESSAGE HEADER: from YAHOO.COM to CHICAGONETTECH.COM:

Return-Path: <chicagonettech@yahoo.com>
Received: from nm29-vm1.bullet.mail.ne1.yahoo.com (nm29-vm1.bullet.mail.ne1.yahoo.com [98.138.90.63]) by securemail.chicagonettech.com with SMTP
	(version=TLS\Tls
	cipher=Aes256 bits=256);
   Tue, 14 Jul 2015 12:58:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1436896519; bh=rBpgUqIcIaT549ApaHm/0y7mRbHprn4/pNzCcVeZdjY=; h=Date:From:Reply-To:To:Subject:From:Subject; b=X9xxunV/WWHkjj1xffTv3zh+XJRdLCg8ph8iaGUXYVuKiG1Bc3Di1e2vwDUeJSzeuOs0W6sgNcq9o1CCdjh+CjaNIF/dYXEj+XZ8XZcwxYorWaeYVCrHStrrt7AsTHuTL6Nrop+p4bQmGAhv9B43wz8fQXiFJ5xtlt5aTYmfOiDlQrjcbq0NSoWF4yhAhThuF1e+F8hMxEcPZyBj2hQgi5nU8OXJHU+7J7xXweZSaAcmjlqIR8I+vzS357sv+ofOle5w9vpAs1UAOQ1Yh0phzDGtrldBMnfYBfjIUzvuik1dnSLB8v/d0N5FBWStqS9OLgwrsFaU+yNmQaJ4PQ9SmQ==
Received: from [98.138.100.112] by nm29.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jul 2015 17:55:19 -0000
Received: from [98.138.89.195] by tm103.bullet.mail.ne1.yahoo.com with NNFMP; 14 Jul 2015 17:55:19 -0000
Received: from [127.0.0.1] by omp1053.mail.ne1.yahoo.com with NNFMP; 14 Jul 2015 17:55:19 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 766527.71428.bm@omp1053.mail.ne1.yahoo.com
X-YMail-OSG: VagMG7gVM1mwPt8RB9Ly18QSSU2D0HpZN0DKY0nLkBuvVvkCkK22Z.E_uAlFxLW
 j6iDAyqK63dML_h1HIRyTgP7H60.36uhq2EM4tP3qj81CRo1RasKLr_0ypSg9ebgLNiwgEV7OkiQ
 KnHDGCF6fYBTvFkWzP6yIN.cesIjTM73ENRVQPbWuNdznrVbrFYAn7tz0MRM_STGLMzmb4QVYZjD
 dzy1oN0_ucS302D3q0FlP41IpJK4Hzh3R7zl.BqlHhrnc.MvILqnhitO8NtryHdcAMQYqLQ2q5tO
 gBW4gnYBtCQI4xWsFUsnz62CU8LaRVb3t7HP.4SueVFIuh.XlVa4luSPQib1WtmgXTKps3NkrPbp
 sypv8Ux3_Ex8_to5cUXsSbiRWYBll994ffhhSOMsmu7d2E.bGZYIC_Dxa.9UPdZTc_5t0Oor4YRg
 UmIhuSPP_rS0QgmNH.QCd01jcUOgLu_ohH1C2UX27pTqNQ_IpyBBF45O_Tk5KtmNUGTA-
Received: by 98.138.105.215; Tue, 14 Jul 2015 17:55:19 +0000
Date: Tue, 14 Jul 2015 17:55:18 +0000 (UTC)
From: Bruce Barnes <chicagonettech@yahoo.com>
Reply-To: Bruce Barnes <chicagonettech@yahoo.com>
To: "bbarnes@chicagonettech.com" <bbarnes@chicagonettech.com>
Message-ID: <1243587522.2016926.1436896518730.JavaMail.yahoo@mail.yahoo.com>
Subject: test
MIME-Version: 1.0
Content-Type: multipart/alternative; 
	boundary="----=_Part_2016925_708836690.1436896518728"
Content-Length: 2640
X-SmarterMail-Spam: SPF_Pass, DK_None, DKIM_Pass
X-SmarterMail-TotalSpamWeight: 0

Message from YAHOO.COM successfully delivered to CHICAGONETTECH.COM with DMARC filtering ENABLED.

Here is the FEDEX.COM SMTP delivery transaction log:

[2015.07.14] 13:55:36 [204.135.8.93][465358] rsp: 220 securemail.chicagonettech.com  Tue, 14 Jul 2015 18:55:36 +0000 UTC | SmarterMail Enterprise 14.0.5661.20114
[2015.07.14] 13:55:36 [204.135.8.93][465358] connected at 7/14/2015 1:55:36 PM
[2015.07.14] 13:55:36 [204.135.8.93][465358] cmd: EHLO mx23.infosec.fedex.com
[2015.07.14] 13:55:36 [204.135.8.93][465358] rsp: 250-securemail.chicagonettech.com Hello [204.135.8.93]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.07.14] 13:55:36 [204.135.8.93][465358] cmd: STARTTLS
[2015.07.14] 13:55:36 [204.135.8.93][465358] rsp: 220 Start TLS negotiation
[2015.07.14] 13:55:36 [204.135.8.93][465358] cmd: EHLO mx23.infosec.fedex.com
[2015.07.14] 13:55:36 [204.135.8.93][465358] rsp: 250-securemail.chicagonettech.com Hello [204.135.8.93]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.07.14] 13:55:36 [204.135.8.93][465358] cmd: MAIL FROM:<prvs=0637f96f9c=bounce@nds.fedex.com> SIZE=4897
[2015.07.14] 13:55:39 [204.135.8.93][465358] rsp: 250 OK <prvs=0637f96f9c=bounce@nds.fedex.com> Sender ok
[2015.07.14] 13:55:39 [204.135.8.93][465358] cmd: RCPT TO:<bbarnes@chicagonettech.com>
[2015.07.14] 13:55:39 [204.135.8.93][465358] rsp: 250 OK <bbarnes@chicagonettech.com> Recipient ok
[2015.07.14] 13:55:39 [204.135.8.93][465358] cmd: DATA
[2015.07.14] 13:55:39 [204.135.8.93][465358] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.07.14] 13:55:39 [204.135.8.93][465358] rsp: 250 OK
[2015.07.14] 13:55:39 [204.135.8.93][465358] Data transfer succeeded, writing mail to 98274242.eml
[2015.07.14] 13:55:44 [204.135.8.93][465358] cmd: QUIT
[2015.07.14] 13:55:44 [204.135.8.93][465358] rsp: 221 Service closing transmission channel
[2015.07.14] 13:55:44 [204.135.8.93][465358] disconnected at 7/14/2015 1:55:44 PM

Here is the FedEX.com DELIVERY transaction log

[2015.07.14] 13:55:38 [74241] Delivery started for prvs=76379a565b=bounce@nds.fedex.com at 1:55:38 PM
[2015.07.14] 13:55:41 [74242] Delivery started for prvs=0637f96f9c=bounce@nds.fedex.com at 1:55:41 PM
[2015.07.14] 13:55:43 [74241] Spam check results: 
                   {formatting added to readability easier}
 - [_SPF: None], 
 - [BARRACUDA - BRBL: passed], 
 - [CBL - ABUSE SEAT - DO NOT USE FOR OUTGOING!: passed], 
 - [HOSTKARMA - BLACKLIST: passed], 
 - [MAILSPIKE Z: passed], 
 - [RFC2 REALTIME LIST: passed], 
 - [SORBS 02 - HTTP: passed], 
 - [SORBS 03 - SOCKS: passed], 
 - [SORBS 05 - SMTP: passed], 
 - [SORBS 08 - BLOCK: passed], 
 - [SORBS 09 - ZOMBIE: passed], 
 - [SORBS 11 - BAD CONFIG: passed], 
 - [SORBS 12 - NOMAIL: passed], 
 - [SORBS 13 - NO SERVER: passed], 
 - [SPAMCOP: passed], 
 - [SPAMHAUS - PBL 1: passed], 
 - [SPAMHAUS - PBL 2: passed], 
 - [SPAMHAUS - SBL 1: passed], 
 - [SPAMHAUS - SBL 2: passed], 
 - [SPAMHAUS - XBL 1: passed], 
 - [SPAMHAUS - XBL 2: passed], 
 - [SPAMHAUS - XBL 3: passed], 
 - [SPAMHAUS - XBL 4: passed], 
 - [SPAMHAUS ZEN: passed], 
 - [SPAMRATS: passed], 
 - [SURRIEL: passed], 
 - [VIRUS RBL - MSRBL: passed], 
 - [_REVERSEDNSLOOKUP: passed], 
 - [_BAYESIANFILTERING: passed], 
 - [_DK: None], [_DKIM: Pass], 
 - [NOABUSE: passed], 
 - [NOPOSTMASTER: passed], 
 - [SEM-URIBL: passed], 
 - [SORBS 04 - MISC: passed], 
 - [SORBS 06 - RECENT: passed], 
 - [SORBS 07 - WEB: passed], 
 - [SORBS 10 - DYNAMIC IP: passed], 
 - [SURBL - ABUSE BUSTER: passed], 
 - [SURBL - JWSPAMSPY: passed], 
 - [SURBL - MALWARE: passed], 
 - [SURBL - PHISHING: passed], 
 - [SURBL - SA BLACKLIST: passed], 
 - [SURBL - SPAMCOP WEB: passed], 
 - [UCEPROTECT LEVEL 1: passed], 
 - [UCEPROTECT LEVEL 2: passed], 
 - [UCEPROTECT LEVEL 3: passed], 
 - [URIBL - BLACK: passed], 
 - [URIBL - GREY: passed], 
 - [URIBL - MULTI: passed], 
 - [URIBL - RED: passed]

[2015.07.14] 13:55:44 [74243] Delivery started for prvs=16373cf35a=bounce@nds.fedex.com at 1:55:44 PM
[2015.07.14] 13:55:44 [74241] Starting local delivery to bbarnes@chicagonettech.com
[2015.07.14] 13:55:44 [74241] Delivery for prvs=76379a565b=bounce@nds.fedex.com to bbarnes@chicagonettech.com has completed (Delivered) Filter: None
[2015.07.14] 13:55:44 [74241] End delivery to bbarnes@chicagonettech.com
[2015.07.14] 13:55:44 [74241] Delivery finished for prvs=76379a565b=bounce@nds.fedex.com at 1:55:44 PM	[id:98274241]

Here is the FEDEX.COM | MESSAGE HEADER: from FEDEX.COM to CHICAGONETTECH.COM:

Return-Path: <prvs=76379a565b=bounce@nds.fedex.com>
Received: from mx34.infosec.fedex.com (pvma00050.prod.fedex.com [199.81.212.190]) by securemail.chicagonettech.com with SMTP
	(version=TLS\Tls
	cipher=Aes256 bits=256);
   Tue, 14 Jul 2015 13:55:38 -0500
DKIM-Signature: v=1; a=rsa-sha256; d=fedex.com; s=wtc; c=relaxed/relaxed;
	q=dns/txt; i=@fedex.com; t=1436899227; x=1437504027;
	h=From:Sender:Reply-To:Subject:Date:Message-ID:To;
	bh=nLVC+O6fjiApRRDsSZsGaDNNZ8JjR4VqgSJW8jzNdVg=;
	b=s2tameQ/R3Mz7wHxiJA81En87Cw2Z2KLYQKeEIrqHpMoWvOQhVUbNtKfQmaB7rmf
	bCAT/TPkyKAeAs4OVEngauYAE7Y1ky7xxhJtzTLqkgxLXxBeePVgfVHSzD5DV2cT
	R/FYbrGgEFPoLogKZOq4uywBT8m5eFtyGqt8fN3HsOk=;
X-AuditID: c751d4be-f791a6d00000072f-b6-55a5579a5318
Received: from prh00393.prod.fedex.com (prh00393.prod.fedex.com [199.81.10.49])
	(using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx34.infosec.fedex.com (FedEx MX) with SMTP id 09.98.01839.A9755A55; Tue, 14 Jul 2015 13:40:27 -0500 (CDT)
To: undisclosed-recipients:;
Received: from pje33304.sac.fedex.com (pje33304.sac.fedex.com [204.135.237.140])
	by prh00393.prod.fedex.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.2.0) with ESMTP id t6EIePxn000499
	for <bbarnes@chicagonettech.com>; Tue, 14 Jul 2015 13:40:26 -0500
Received: from pje33304.sac.fedex.com (localhost.localdomain [127.0.0.1])
	by pje33304.sac.fedex.com (8.13.8/8.13.8) with ESMTP id t6EIeD2F027016
	for <bbarnes@chicagonettech.com>; Tue, 14 Jul 2015 18:40:25 GMT
Date: Tue, 14 Jul 2015 13:40:25 -0500 (CDT)
From: trackingupdates@fedex.com
Reply-To: donotreply@fedex.com
Message-ID: <307283675.214221436899225658.JavaMail.nds@pje33304.sac.fedex.com>
Subject: Online FedEx Tracking - 780975723992
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_21422_307280971.1436899225658"
X-Priority: 3
X-FX-NDS-ID: ZPfeiBb8zMnJMsPyh/kxn3f1LR0MgYReepHiy737AsTQemQ1QcXj4A==
X-FX-NDS-MSG-POS: t3PMvj8ykslkGim8WXulpOv5sWAYVehoKxhq//IGqrsGSAcf/tayIaZtRJKBSaaQ0HpkNUHF4+A=
X-FX-NDS-MSG-ID: B5nLas0Y53gqSjP1TgzlpQ==
X-FX-NDS-ORIGIN: uQ5cfBbuF7k=
X-FX-NDS-RG-LG-ENV: UzL99LvXCAM=
X-FX-NDS-LEVEL-ENV: Da/9DNNUC/0=
X-Brightmail-Tracker: H4sIAAAAAAAAA11TbUxbZRTmbW/hUvrKpRR66MYg1Ul0gblBHHELbvEjwDLHRsoSVPACl7ah
	H6S3ILAfAqJM8AOB6AZjbEIJ4gZThIFGhM45hhuWQGZgrEEYC5KMYRxENyXe29tC2b+T53nP
	c57z8ZJi+U9SFak3WRmLiTaofaXE1SPSXdGNx2ya52bWUHxz7WViP0r8z9Hkm4LSA/Zl0dbC
	VL3WtDPhrQDd9K1xv/xR/6Iy55ioFC34VSF/Eqg4uDz1LSHEoeBwdvlWISkpp1pFUHP7GuIJ
	BbUVmhrnJAKxiqCnpcqVIacmEPRNF1YhkiSoHdDU8wYP+1IR8NmVs77Ck23w4ciEiI8x9Rqc
	W+iT8HEwFQ0dvV8iAQ+Ca6fuuCTFlAZOXep0m8NwsnLebe4VGPj0c4kQZ8DoQIv7zTPQMnYC
	CXE4tF08JxLiSJicbJJ44kerD/xqkKLBq1yDV7kGrgMxFQVdZ+QCHAGX7p0Wn0VEBwo1FsXG
	xehNuWaWyY7JZXKYophss/Eb5Br/xEAf6q4+YEcUidQy/Ochm0YuoQvZYqMdaUmRWoWjtuk0
	8uAsc06xjmZ1mWxBllHPsnqzSR2C30nlnj+xzlkKDAyrVuDkZA7G63BWgSGPEzKm2byFTMzb
	rIGxcrdgR0CKuTRHIp+WQxeXMBazIGZHW0hCrcQ/hHMUpaWtTB7D5DMWD8uSpDocIx8fH3mo
	hdEyRbl6A6fo7RLw/H4uOcibFowqcQbPUN6My2s4bsts1WxW9LYrIv15z1KVgmVMOYyFLrBy
	XXLHmsly12pH2aRMHSa4krP5tJFDvR0p8HF+FNhDCW6CcUgSh8o8qMtJGG7UcOC6yoaLEVSJ
	yJnmyQsisn3IeUEkJ0xmE6Paiu/zww/hE3QFps2zUCmx8iDfsRfrKq4KxborXMeBXgRfn5Mb
	rG3dLLdhwfOBF1GliLsewBV86SDufz/WcDD257uQuRmhXzmW8tMPcIOudgG/m+QlsVFqtw2R
	iJojwH63mYAvPlqVwMnvuiiYuF+vhIm65TCYe1QRCd1rDjWc7rv3FLT/27Mdhj7+OQraRxaj
	YPi3P+Jg7eb7e+BEeUU8rIwsxcP52ea98OOy8yU4M9X9MiwvfpUEDX91J8PUrzPJ4BwcOAJ/
	l/YehfLeulSuxsU0aLd9fwz636tPh4WZ4Tfh+q2aTPhnrDMTVqb7aN4GvcjtXrSxeyv9+CgU
	+GvXlXsoz+5vJ7p270bdu/890bV7N7gxDVUpOrCU8rB4p/LFvI6lLWVwNbBldt+NtNqFBzfK
	/Tv3ZuxJCBudDbnbP+N4+GS98bD26UOyT3ZI05eznPMHK6vGh4Zl5YG7b26P/qUVH24jnq+W
	1/WXhcaWJMQaiRQ4H1v2qiM9orrEt7FksGz8dVv80eOGhQ+0153ylrnOOy+EFK1ERqsJVkfv
	elZsYen/AcCP8J7XBQAA
X-Rcpt-To: <bbarnes@chicagonettech.com>
X-SmarterMail-Spam: SPF_None, DK_None, DKIM_Pass
X-SmarterMail-TotalSpamWeight: 0

Message from FEDEX.COM successfully delivered to CHICAGONETTECH.COM with DMARC filtering ENABLED.

David Maggard Replied

7/14/2015 at 1:28 PM

Bruce, could you try the yahoo CFL application?

I think it may be specific to that system and failing dmarc domain alignment and not the generall yahoo.com domain.

Miguel Enrique Replied

7/14/2015 at 1:45 PM

Hello.

I give you an example from SMTP Log. Only today I have dozens.

Instead other emails from fedex.com not give problems.

03:51:51 [204.135.8.97][59154349] rsp: 220 mail.monmariola.com
03:51:51 [204.135.8.97][59154349] connected at 14/07/2015 3:51:51
03:51:51 [204.135.8.97][59154349] cmd: EHLO mx27.infosec.fedex.com
03:51:51 [204.135.8.97][59154349] rsp: 250-mail.monmariola.com Hello [204.135.8.97]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
03:51:51 [204.135.8.97][59154349] cmd: MAIL FROM:<prvs=8637e95b7d=bounce@nds.fedex.com> SIZE=39121 BODY=8BITMIME
03:51:51 [204.135.8.97][59154349] rsp: 250 OK <prvs=8637e95b7d=bounce@nds.fedex.com> Sender ok
03:51:52 [204.135.8.97][59154349] cmd: RCPT TO:<muestras@entextextil.com>
03:51:52 [204.135.8.97][59154349] rsp: 250 OK <muestras@entextextil.com> Recipient ok
03:51:52 [204.135.8.97][59154349] cmd: DATA
03:51:52 [204.135.8.97][59154349] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
03:51:54 [204.135.8.97][59154349] rsp: 550 Message rejected due to senders DMARC policy
03:51:54 [204.135.8.97][59154349] A trace of the DMARC processing follows.
03:51:54 [204.135.8.97][59154349] Beginning DMARC check for prvs=8637e95b7d=bounce@nds.fedex.com from IP 204.135.8.97...
03:51:54 [204.135.8.97][59154349] The from field for the message is "notifications@fedex.com". Will look for DMARC policy record at _dmarc.fedex.com
03:51:54 [204.135.8.97][59154349] Retrieved the following DMARC policy record for "fedex.com": v=DMARC1; p=reject; pct=100; rua=mailto:dmarc_agg@auth.returnpath.net,mailto:dmarc@fedex.com; ruf=mailto:dmarc_afrf@auth.returnpath.net,mailto:dmarc@fedex.com; fo=1
03:51:54 [204.135.8.97][59154349] DMARC policy violated due a bad DKIM signature.
03:51:54 [204.135.8.97][59154349] Data transfer succeeded but message rejected by DMARC
03:51:59 [204.135.8.97][59154349] cmd: QUIT
03:51:59 [204.135.8.97][59154349] rsp: 221 Service closing transmission channel
03:51:59 [204.135.8.97][59154349] disconnected at 14/07/2015 3:51:59

Miguel Enrique Replied

7/14/2015 at 1:53 PM

This is valid:

10:08:56 [199.81.212.186][32945532] rsp: 220 mail.monmariola.com
10:08:56 [199.81.212.186][32945532] connected at 14/07/2015 10:08:56
10:08:56 [199.81.212.186][32945532] cmd: EHLO mx30.infosec.fedex.com
10:08:56 [199.81.212.186][32945532] rsp: 250-mail.monmariola.com Hello [199.81.212.186]250-SIZE 104857600250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
10:08:56 [199.81.212.186][32945532] cmd: MAIL FROM:<prvs=6637b0d907=silvia.gomez@fedex.com> SIZE=30898
10:08:56 [199.81.212.186][32945532] rsp: 250 OK <prvs=6637b0d907=silvia.gomez@fedex.com> Sender ok
10:08:56 [199.81.212.186][32945532] cmd: RCPT TO:<fornituras@martivilaplana.com>
10:08:56 [199.81.212.186][32945532] rsp: 250 OK <fornituras@martivilaplana.com> Recipient ok
10:08:57 [199.81.212.186][32945532] cmd: DATA
10:09:00 [199.81.212.186][32945532] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
10:09:03 [199.81.212.186][32945532] rsp: 250 OK
10:09:03 [199.81.212.186][32945532] Data transfer succeeded, writing mail to 44761717.eml
10:09:09 [199.81.212.186][32945532] cmd: QUIT
10:09:09 [199.81.212.186][32945532] rsp: 221 Service closing transmission channel
10:09:09 [199.81.212.186][32945532] disconnected at 14/07/2015 10:09:09

Bruce Barnes Replied

7/14/2015 at 2:41 PM

In as much as I was already setup with Yahoo's CFL, I had not tried this until suggested by David Marggard.

Based on the failure, in the logs below, this appears specific to YAHOO CFL, caused by an issue with how they have FORWARDERS setup for YAHOO's CFL, and not a SmarterMail issue:

IE: they are sending from POSTMASTER@CHICAGONETTECH.COM via YAHOO.COM and using

"abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwheydqnjxha-postmaster=chicagonettech.com@returns.bulk.yahoo.com" as a return address for the forwarder.

[2015.07.14] 16:16:22 [216.39.62.81][4007995] rsp: 220 securemail.chicagonettech.com  Tue, 14 Jul 2015 21:16:22 +0000 UTC | SmarterMail Enterprise 14.0.5661.20114
[2015.07.14] 16:16:22 [216.39.62.81][4007995] connected at 7/14/2015 4:16:22 PM
[2015.07.14] 16:16:22 [216.39.62.81][4007995] cmd: EHLO n10-vm7.bullet.mail.gq1.yahoo.com
[2015.07.14] 16:16:22 [216.39.62.81][4007995] rsp: 250-securemail.chicagonettech.com Hello [216.39.62.81]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.07.14] 16:16:22 [216.39.62.81][4007995] cmd: STARTTLS
[2015.07.14] 16:16:22 [216.39.62.81][4007995] rsp: 220 Start TLS negotiation
[2015.07.14] 16:16:22 [216.39.62.81][4007995] cmd: EHLO n10-vm7.bullet.mail.gq1.yahoo.com
[2015.07.14] 16:16:22 [216.39.62.81][4007995] rsp: 250-securemail.chicagonettech.com Hello [216.39.62.81]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.07.14] 16:16:22 [216.39.62.81][4007995] cmd: MAIL FROM:<abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwheydqnjxha-postmaster=chicagonettech.com@returns.bulk.yahoo.com>
[2015.07.14] 16:16:31 [216.39.62.81][4007995] rsp: 250 OK <abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwheydqnjxha-postmaster=chicagonettech.com@returns.bulk.yahoo.com> Sender ok
[2015.07.14] 16:16:31 [216.39.62.81][4007995] cmd: RCPT TO:<postmaster@chicagonettech.com>
[2015.07.14] 16:16:31 [216.39.62.81][4007995] rsp: 250 OK <postmaster@chicagonettech.com> Recipient ok
[2015.07.14] 16:16:31 [216.39.62.81][4007995] cmd: DATA
[2015.07.14] 16:16:31 [216.39.62.81][4007995] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.07.14] 16:16:31 [216.39.62.81][4007995] rsp: 550 Message rejected due to senders DMARC policy
[2015.07.14] 16:16:31 [216.39.62.81][4007995] A trace of the DMARC processing follows.
[2015.07.14] 16:16:31 [216.39.62.81][4007995] Beginning DMARC check for abuse.mm2s4ylifz4wc2dpn4xgg33nfuytimzwheydqnjxha-postmaster=chicagonettech.com@returns.bulk.yahoo.com from IP 216.39.62.81...
[2015.07.14] 16:16:31 [216.39.62.81][4007995] The from field for the message is "yahoo-account-services-us@cc.yahoo-inc.com".  Will look for DMARC policy record at _dmarc.cc.yahoo-inc.com
[2015.07.14] 16:16:31 [216.39.62.81][4007995] Retrieved the following DMARC policy record for "cc.yahoo-inc.com": v=DMARC1; p=reject; pct=100; rua=mailto:dmarc-rua@yahoo-inc.com;
[2015.07.14] 16:16:31 [216.39.62.81][4007995] DMARC policy violated due a bad DKIM signature.
[2015.07.14] 16:16:31 [216.39.62.81][4007995] Data transfer succeeded but message rejected by DMARC
[2015.07.14] 16:16:31 [216.39.62.81][4007995] cmd: RSET
[2015.07.14] 16:16:31 [216.39.62.81][4007995] rsp: 250 OK
[2015.07.14] 16:16:31 [216.39.62.81][4007995] cmd: QUIT
[2015.07.14] 16:16:31 [216.39.62.81][4007995] rsp: 221 Service closing transmission channel
[2015.07.14] 16:16:31 [216.39.62.81][4007995] disconnected at 7/14/2015 4:16:31 PM

Here's YAHOO's DMARC record:

	v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:dmarc-yahoo-rua@yahoo-inc.com, mailto:dmarc_y_rua@yahoo.com;

Looks like a screwup on YAHOO'S end and I'm not about to change, or disable, my DMARC settings for the fact that their CLF application fails when their regular e-mail works just fine [per my previous posting]

Miguel Enrique Replied

7/14/2015 at 3:37 PM

My questions: Just fails with SmarterMail? The rest of mail servers do not have this problem? Why do not more people complaining about this problem?

David Maggard Replied

7/14/2015 at 3:57 PM

Thanks Bruce, excellent as always, glad I'm not crazy.

Miguel: If your don't have this issues with other mail servers then likely dmarc isn't being used/enforced on those servers

Miguel Enrique Replied

7/15/2015 at 1:06 AM

Hello.

First, I want to thank Bruce your help.

I have no other mail servers. I use only Smartermail from its early versions. My questions are why I have been searching with Google on these issues, and I've only found references to error "dropboxmail" and "amazonses" and especially the problems with mailing lists, but nothing about what we discussed here. So I have doubts.

I disabled DMARC and now I no longer have these problems but I have more spam.

David Maggard Replied

7/15/2015 at 3:54 AM

Numerous posts on the drop box forum about their dmarc issues.

https://www.dropboxforum.com/hc/communities/public/questions/202872575-Shared-file-email-notifications-sent-from-Amazonses-com-and-dropbox-com

https://www.dropboxforum.com/hc/communities/public/questions/202903645-Verification-email (specifically mentions they are using icloud, which means its not a smartermail issue)

https://www.dropboxforum.com/hc/communities/public/questions/202893015-DMARC-Verification-Email?locale=en-us

Interesting to read, dropbox's response to the issue is to tell people to simply whitelist all mail purporting to come from those 2 domains. They opt to publish a dmarc policy record, they then choose to violate their own policy, and instead of fixing their stuff to be dmarc compliant, or removing their dmarc record, they simply demand mail admins to whitelist around the problem they made.

David Maggard Replied

10/18/2016 at 1:32 AM

Sadly as an update I have to report Yahoos FBL system is still severely broken in regards to DMARC, I am having to temporarily disable DMARC which is highly ironic since FBLs are supposed to help prevent/detect spam and it requires disabling DMARC which also is supposed to help prevent/detect spam

Back to Community Threads

Please leave this box unchecked

20 Replies

Reply to Thread

Tags

Related Knowledge Base Articles