Dmarc repeat retards with hosted gmail

Send in the clowns (my blog)

Original-Recipient: rfc822;
Action: failed
Status: 5.2.2
Remote-MTA: dns;
Diagnostic-Code: smtp; 552-5.2.2 The email account that you tried to reach is
over quota. Please direct 552-5.2.2 the recipient to 552 5.2.2

Sigh – why do they bother.

opendmarc fix

This (my blog)


seems to be the only way to log messages (my blog) in buster working.

However import has faults

opendmarc-import: failed to insert policy data for 
Field 'locked' doesn't have a default value
failed to insert policy data for Field 'locked'
opendmarc-reports: can't parse reporting URI for domain x

Everything else imported so it looks like an dmarc policy error for these domains but that is life..

dmarc file injection to sql fail

rddmarc is not the best thing to store dmarc reports in [inbound] not outbound (my blog) out after i non google searched a way to import gz files in email into a database.

What i found was that as the zoo runs a real mail server opposed to mail dumped in directory on a disk this is more complex than rddmarc could handle.  But there is a thing for that but it seems to use rddmarc for sql syntax.

Carol Beer little britain says computer said no

I had a fun afternoon figuring out our imap server and gettting dmarc reports changed and a real inbox for the script to pull reports from that needed mysql and not mariadb to work as thing crashed and burned in mariadb

 serial int(10) unsigned NOT NULL AUTO_INCREMENT,
 maxdate timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
 domain varchar(255) NOT NULL,
 org varchar(255) NOT NULL,
 reportid varchar(255) NOT NULL,
 PRIMARY KEY (serial),
 UNIQUE KEY domain (domain,reportid)

Resulted in

ERROR 1071 (42000) at line x: Specified key was too long; max key length is 767 bytes

So I gave up on auto importing dmarc reports in sql since somebody would claim:

  1. the code works with mysql [not shipped with debian anymore]
  2. I should install mysql instead of maria db

So pretty much a catch 22 not a bug in the eyes of everybody else.

It does show the horrid compatibility of mysql and its forked versions of which mariadb is.  I am a postgres fan and think poorly of mysql.

I tried.and once again (my blog) i find that sql is the bottleneck.

aws servers that don’t seem to have dkim verification

Consider this extract from an aws (my blog) dmarc log we received.


Although the email came from the zoo and was signed . – not my problem there’s since dkim is being signed here in the zoo and everybody else is fine with it.

rfc ignorant email servers and software things

I am constantly reminded of bad email servers since i get a report each detailing the unclued  and dumb who think email is easy.

Your email server may kind of work but it does has to worry about non email things too as they can reek havoc.   Somebody had all the right things but the sending server screwed up the header, so our spam bot decided to not deliver the email.  I had no issues with that.

The dmarc report sent (my blog) might say we got it but it never hit a human,

Commercial list software is also odd with dmarc two ‘signed up marketing message’ lists also added the dmarc reporing address to them.

Quite how the dmarc address got on the list is something i’d love to know

Since our virus bot is working unlike those email lists and knows a bad header i was happy to accept its judgement as to not being seen by a human, dmarc is working correctly too

So if you think you email is getting through and it is 100% human signed up for it may not be so and if you wish to send the email to the dmarc user or reject dmarc mail because of the compressed file well that’s your choice.

Your still an idiot..

shit at dmarc:

Since i like to name those awful at dmarc (my blog) and many of those already mentioned retain there status. I feel it necessary to add to that list.

Why they use Microsoft software, (my blog) no wonder gchq and the nsa hacked them.which made the newspapers until reporting spies became a non reportable thing (my blog).

I look forward to informing me that there dmarc inbox is ‘full’ once again.  Oh yes
#554-5.2.2 mailbox full 554 5.2.2 STOREDRV.Deliver.Exception:QuotaExceededException.MapiExceptionShutoffQuotaExceeded; Failed to process message due to a permanent exception with message Cannot open mailbox /o=BelgacomGroup/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=A04071/cn=Microsoft System Attendant. 16.55847:C2000000,

A feedback loop!



Governments and dmarc feedback loops []

hello hello hello hello

If you have never heard of nsandi they are a government saving bank – interest is low and a lottery like prize is offered – kind of like an old  war bond, mostly an interest free loan for the government.

Somebody here in the zoo registered with a zoo address and as we have dmarc (my blog) along with nsandi a curous feedback loop has started – it begins when they send an email, dmarc sends one back, and then the pfishing address sends another automated reply to our dmarc user meaning another dmarc message from us rinse and repeat.

Imagine your not just us but google getting lots of these autoreplies i bet they must consider this autoreply bot a sign of retardation at nsandi

I guess one day it will stop when i do a kernel upgrade and ‘forget’ to keep the dmarc import file, or block the reporting to them or something else.

Ignoring the domain: seems to stop the feedback loop which does make dmarc useless for them but hey some retarded public schooled civil servant should not auto reply dmarc messages.

Oh well. Idle bots like to keep busy.  Nice to know they got the message!


dmarc retard for September is

It is a bit early since it is still september but this is clearly an exceptional case which deserves this special award.

the domain  latinnewsmail . us apparently sent something to the zoo (could have been spam) , its mail handler did not like the standard opendmarc attachment rejected as[] said: 550 We do not accept
.zip attachments here. (in reply to end of DATA command)

So if your thinking of using clearly your an retard as to the domain well they also deserve to be associated with retards since they setup the email to be sent to that address.  The good news is that latinnewsmail . us wont be getting any more dmarc email from the zoo despite them requesting it.

I pass on just to show that the clueless seem to have found dmarc and what could possibly go wrong.

I like spotting idiots wth dmarc

atps and adsp records (featuring asl too) and dmarc reporting

Sisyphus is still a role model

Sisyphus is still a role model

Yes i am doing dmarc today once again,exciting stuff this.and i have finally figured out opendmarc-reports which for the zoo atps is apparently needed.

These records are fun and once you do one domain, the others also need doing ala.

  • etc IN TXT "dkim=all; atps=y;;" IN TXT "v=atps01;;"

The YFP5HEI6FUVG5WMNRBCEO6BK2Z75XKJZ is sha1 hashed  opendkim-atpszone can make this with

opendkim-atpszone -h sha1 -u -A -vvv

The rest of the dns lines from above  is where your on your own


Eagle eyed readers will note that v=ATPS1; and v=atps01; differ and no adsp record is made.

The has found that atps01 works and is unwilling to test the capital variant.

The only reason i have this is for opendmarc-report which for some reason if i do not have them i get a dmarc error of no.

postfix/smtp[*]: *:
status=bounced (host[] 
said: 550-5.7.1 Unauthenticated email from example is not accepted 
due to 550-5.7.1 domain's DMARC policy. 
Please contact the administrator of 550-5.7.1 example domain if this 
was a legitimate mail.

That’s it which is what brought me to this vague corner of dns and email

The dmarc report i received back the next day was interesting.

<source_ip>munged .com</source_ip>

rubberduckSo perhaps more evidence that atps is needed when its a dead duck considered to say spf .

Maybe the zoo’s way of doing things is weird to openmarc-reports which is good at keeping secrets on our live mail server, so it is happy with adsp and human emaail gets sent properly with aligned spf,dkim and dmarc i will say no more.

So that fixes opendmarc-reporting.  Yay





opendmarc reporting and extended thoughts

thxI decided to install some very crappy software to get dmarc reporting (my blog) working and adapted a script to suit from a blog,  it works you import, report and expire the db.

This is week long plus blog post so i may contradict myself the longer i document stuff.

However with stuff inbound to the database i got no email reports out which i can assume is due to either an error on my part, the policy not to bother them with strict compliance or the software is broken.

A brainwave I had on exploring this was that as a low traffic host (the zoo is not gmail) that email we do get is strictly controlled by rules where gmail i guess might be lax on say spam where as we are not.

So most of the email dealt with needs no dmarc action.

I will run the import , report and expire once a day and see if dmarc reporting via opendmarc is worthwhile.

Later on with reports being sent i observed some issues…

Dmarc can be abused by marketing people, and it depends on who runs the report address they specified take

(host[74.125.x.x] said:
450-4.2.1 The user you are trying to contact is receiving mail at a rate that 450-4.2.1 prevents additional messages from being delivered. Please resend your 450-4.2.1 message at a later time. If the user is able to receive mail at that 450-4.2.1 time, your message will be delivered. For more information, please 450-4.2.1 visit 450 4.2.1 – gsmtp (in reply to RCPT TO command))


It is amusing to note that they also use gmail.

So dmarc might mismanaged by some who might know better.  Does this mean dmarc should be ignored? what do you think.

Another retard with dmarc did the below humorous issue – Please note this was collected by dmarc, and sent by dmarc it is not a typo error by a human.

opendmarc-reports: sent report for 
to (2.0.0 Ok: queued as 5F1F4BD6315)

<>: host <host>[74.125.x.x] said:
550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient’s email address for typos

Plenty of other idiots exist.

(host[] said: 451 IP temporarily blacklisted – (in reply to RCPT TO command))

mindreaderNot sure they want dmarc although they request it.

(host[] said: 451 IP temporarily blacklisted – (in reply to RCPT TO command))

These appear to go hours and hours later that is getting the dmarc report back (rac do send spam) and piss off hosts when it reports back – Oh to be a mind reader.

Yet another brainwave i had was that there is no way to block ‘pfishing’ emails via opendkmarc unless there is a strict policy setup.  Unless you search headers for dmarc rules but thats down to the mta or spambotter not opendmarc.  There is an example below.

Routing loops could be a problem – ala i send mail, they send mail, we mail back etc.  Have to see on that one.  I guess you could turn off reporting which kind of makes dmarc reporting an odd idea to start with.

In the real world i found out:

If you do not import messages into sql and then close down opendmarc (say for an kernel upgrade) then opendmarc deletes the text file is one bug i noticed – not an end of the world issue but occasional one.

Another bug i noticed in 1.3.0 release (1.3.2 is debian experimental) is that opendmarc-reports will still send email out even if you had a typo in the address or email set in script (the zoo has four domains)

I noticed as our dkim signing did not initiate when it should have (my typo).

The sql data is stored although its not designed for humans to read, the xml reports which it makes and we also get from others as the zoo has dmarc are more human readable.

Microsoft (microshit) are pretty crap at dmarc -there reports leave a lot to be desired due to \n issues.

They also bounce failure – this is pure microshit in action. I perceive this as bit spammy.  It took a little time to sanitize here.

Subject x has left you a private message
From No signature information
To technical_dmarc@zoo
Date Thu 07:46 PM
This is an email abuse report for an email message received from IP on Thu, 19 Jan 2017 11:xx:40 -0800.
The message below did not meet the sending domain’s authentication policy.
For more information about this format please see
Subject x has left you a private message
From Signature is not valid ! verified by VMessage
Sender notification+bingxia006@zoo
Date Thu 04:44 PM
You have 1 new message


Typical crap from microsoft, it was spamcop proof too

Criminals also have odd dmarc setups an good example is quantumaccountingservices . net which is scammy* returned at time of wtiting

Host not found, try again

So i guess your going to get a lot of domains to ignore.

A problem i have is with multiple domain reporting (say mail.zoo mail.zoo1 etc). In the debian 1.3.0 version the first report run for mail.zoo has all the fun the other opendmarc report scripts run but have nothing to report on.  That might be a level of complexity most with one domain and one host never get to see or care about and might be down to the shit sql server it uses.

My adsp and atps lines in dns needed some tweaking since reporting uses port 25 and i use the other port for outbound mail which for over a week i failed to comprehend so this might be a postfix / amavis or some other issue i cannot resolve currently.

The zoo will not be sending reports until we figure out adsp (my blog) even though the sql import and expire work

opendmarc-spam looks interesting although a thought experiment needing a look at source code to guess how it works

That’s about it for opendmarc reporting. Tomorrow I will be delving into the science of mind reading** after all it appears to be a required skill with dmarc.

*the hint is in the name. ** i joke