我的OpenDMARC拒绝了firefox.com的电子邮件。他们的SPF记录正确吗？还是我错了？

Question

为什么opendmarc拒绝来自firefox.com的邮件？看起来他们的SPF记录与他们的发送地址匹配，并且确实通过了：

v=spf1 mx a include:amazonses.com include:mail.zendesk.com -all

/var/log/maillog：

postfix/smtpd[19221]: connect from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]
postfix/smtpd[19221]: Anonymous TLS connection established from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
postfix/smtpd[19221]: 559B1453AE7: client=a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]
postfix/cleanup[19242]: 559B1453AE7: message-id=<01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com>
opendkim[25641]: 559B1453AE7: a59-48.smtp-out.us-west-2.amazonses.com [54.240.59.48] not internal
opendkim[25641]: 559B1453AE7: not authenticated
opendkim[25641]: 559B1453AE7: message has signatures from firefox.com, amazonses.com
opendkim[25641]: 559B1453AE7: DKIM verification successful
opendmarc[25631]: 559B1453AE7 ignoring Authentication-Results at 1 from ip-172-31-2-211.ec2.internal
opendmarc[25631]: 559B1453AE7: SPF(mailfrom): 01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com pass
opendmarc[25631]: 559B1453AE7: **firefox.com fail**
postfix/cleanup[19242]: 559B1453AE7: milter-reject: END-OF-MESSAGE from a59-48.smtp-out.us-west-2.amazonses.com[54.240.59.48]: 5.7.1 rejected by DMARC policy for firefox.com; from=<01010174e1286c9e-b6d5f59b-d47f-4978-8979-ddc31c5b6170-000000@us-west-2.amazonses.com> to=<redacted@redacted.com> proto=ESMTP helo=<a59-48.smtp-out.us-west-2.amazonses.com>

Answer 1

在DMARC中，关于地址问题的规则被描述为标识符对齐，并且描述SPF认证域必须匹配域From标头的方式。

您正在查看某个邮件的日志，该邮件在这个意义上没有对齐:我可以从您的开放日志中看出，您收到的邮件是经过检查是否与firefox.com对齐的--但是上面的SPF授权是指.amazonses.com。

我无法从您的日志中确切地看出另一种方法DKIM发生了什么。您最好通过接收来自已知的优秀发件人的邮件并查看Authentication-Results:头来了解这部分内容。我怀疑来自ip-172-31-2-211.ec2.internal的被忽略的头是您的，在这个地方，opendkim & opendmarc可能应该配置为使用全局唯一的东西(172.16.0.0/12不是)，例如您的MX。