1

Topic: SPF results not included in Authentication-Results header?

==== Required information ====
- iRedMail version (check /etc/iredmail-release):    0.9.6
- Linux/BSD distribution name and version:    Ubuntu 16.04.2
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):     MySQL
- Web server (Apache or Nginx):    Apache
- Manage mail accounts with iRedAdmin-Pro?    No
====

I've noticed that amavis is only reporting DKIM but not SPF results in the Authentication-Results header. I know that the SPF plugin is working in SpamAssassin. Is there a way to get the SPF return included in the header as well? I can't find anything in amavis conf files - I suspect that this is something that amavis doesn't get involved with, just handing over to SA?

Here's an example. You'll see that - despite it being spam - it has valid SPF (SPF_PASS=-0.001) and DKIM but only the DKIM confirmation is reported in the Authentication-Results header.

====
Return-Path: <newsletter@impressive-info.com>
Delivered-To: recipient@myserver.com
Received: from mx.myserver.com (localhost [127.0.0.1])
    by mx.myserver.com (Postfix) with ESMTP id 5BEB780ECA
    for <recipient@myserver.com>; Wed, 31 May 2017 20:44:55 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at mx.myserver.com
X-Spam-Flag: YES
X-Spam-Score: 10.786
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.786 tagged_above=0 required=6.31
    tests=[BAYES_05=-0.5, DCC_CHECK=3, DIGEST_MULTIPLE=0.293,
    DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
    HTML_IMAGE_ONLY_16=1.092, HTML_MESSAGE=0.001,
    HTML_SHORT_LINK_IMG_2=0.001, RAZOR2_CF_RANGE_51_100=0.5,
    RAZOR2_CF_RANGE_E8_51_100=1.886, RAZOR2_CHECK=2.5,
    RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
    TXREP=-0.385, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
Authentication-Results: mx.myserver.com (amavisd-new);
    dkim=pass (2048-bit key) header.d=impressive-info.com
Received: from mx.myserver.com ([127.0.0.1])
    by mx.myserver.com (mx.myserver.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id GcKq5uAZZxSw for <recipient@myserver.com>;
    Wed, 31 May 2017 20:44:53 +0000 (UTC)
Received: from mail.impressive-info.com (mail.impressive-info.com [45.55.68.107])
    (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mx.myserver.com (Postfix) with ESMTPS id 0D1FA7F83C
    for <recipient@myserver.com>; Wed, 31 May 2017 20:44:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
    d=impressive-info.com; s=mail;
    h=from:reply-to:subject:date:message-id:to:mime-version:content-type:
     list-unsubscribe;
    bh=DW44gT06PnpW5W0DlyGo5/zRTebO78Kb7K4ao3s16Hc=;
    b=rKGFpOyVpwVM8c+dznBKgnyjzvyI10w2BBfOs+d2e4Qr2swJKhIbz7dsL7JcBL7RDNUpmM9ghZhJF
     GtPU/ISCbh+KZoa+MLMXVdyMS3D4jWQI2jdI9h8JcFWhdvE6/J2yzCf8D5tyBnYEK3AKAGxPKVtZgM
     UthN5C1yG+j9CWxg0mevL6+osiknjQb+nlE4z32Y4m/GvjqjRx9F7I7a3Wi1LLSEGs4qYeO2xc47EM
     M7KMwYUVb68zH8z3ghqcJu1hvfv/Kdis7X7UeS1v56Htb+kfctKbR1PDsW6B6uOuwz1Xiy2CDwRuHY
     PT4yaH9AsEu63EPXZQp7zX2/qQDaF8g==
X-Footer: aW1wcmVzc2l2ZS1pbmZvLmNvbQ==
Received: from localhost ([127.0.0.1])
    by mail.impressive-info.com
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256 bits))
    for recipient@myserver.com;
    Wed, 31 May 2017 20:44:48 +0000

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SPF results not included in Authentication-Results header?

Hi,

IP addresses can be forged to allow bypass of SPF check. You can't bypass DKIM check as you would need the server private encryption key for that.

So imho you should stick to DKIM as it is much more reliable smile

3

Re: SPF results not included in Authentication-Results header?

In order for spammers to use this technique, they would have to spoof the entire TCP sequence, which is highly unlikely and hasn't been seen in the wild.

-- from http://searchsecurity.techtarget.com/an … PF-servers

Some domains don't have DKIM but do have SPF records, It is desirable to have both checks, and evidence added to the email headers.

This should not be considered a closed issue.
I'm still evaluating iRedmail for a mail server set-up. I'm a few weeks in on a test bed of VM servers in the lab, Overall, iRedmail is, so far, pretty comprehensive.
Kudos to Zhang, if you weren't so active in the forums, and quick to respond, I probably would have never even downloaded it.

4

Re: SPF results not included in Authentication-Results header?

Amavisd only logs SPF test result in log file, if you want Amavisd to insert header "X-Spam-Status" (your first post has it), check our tutorial:
http://www.iredmail.org/docs/no.x-spam.headers.html

5

Re: SPF results not included in Authentication-Results header?

davidkillingsworth wrote:

Kudos to Zhang, if you weren't so active in the forums, and quick to respond, I probably would have never even downloaded it.

Enjoy. smile