Summary
t-verify-self-spf always fails unless OpenDMARC is configured with --with-spf. The CI jobs do not pass --with-spf, so this test will fail (not skip) and block the macOS CI job added in #409.
Failure
miltertest: ./t-verify-self-spf.lua: [string "./t-verify-self-spf.lua"]:112: malformed SPF result attached
The test sends a message from trusteddomain.org with an unauthorized IP and expects spf=fail smtp.mailfrom=trusteddomain.org in the Authentication-Results header. With SPFSelfValidate Yes in the filter config, the filter should perform the SPF check. But SPFSelfValidate is gated entirely behind #if WITH_SPF in opendmarc.c, so without --with-spf it is silently ignored and no SPF result is added.
Root cause
opendmarc/tests/Makefile.am includes t-verify-self-spf unconditionally in LIVE_TESTS, but the feature it exercises only works when compiled with --with-spf. It should be gated on TEST_SPF (the autoconf conditional already set by --with-spf).
Fix options
Option A (preferred): gate the test in opendmarc/tests/Makefile.am:
if LIVE_TESTS
check_SCRIPTS += t-verify-multi-from-reject t-verify-multi-from-malformed \
t-verify-nodata t-verify-nodata-reject \
t-verify-unspec t-verify-received-spf-good t-verify-received-spf-bad \
t-verify-authservid-jobid
endif
if TEST_SPF
if LIVE_TESTS
check_SCRIPTS += t-verify-self-spf
endif
endifOption B: add --with-spf to the CI configure commands. libspf2 is not required -- passing --with-spf alone (without --with-spf2-include/--with-spf2-lib) enables the internal opendmarc_spf_test() implementation already compiled into libopendmarc. libspf2 is not available in Homebrew, so this is also the only practical path on macOS.
Both options are compatible and complementary.
Summary
t-verify-self-spfalways fails unless OpenDMARC is configured with--with-spf. The CI jobs do not pass--with-spf, so this test will fail (not skip) and block the macOS CI job added in #409.Failure
The test sends a message from
trusteddomain.orgwith an unauthorized IP and expectsspf=fail smtp.mailfrom=trusteddomain.orgin the Authentication-Results header. WithSPFSelfValidate Yesin the filter config, the filter should perform the SPF check. ButSPFSelfValidateis gated entirely behind#if WITH_SPFinopendmarc.c, so without--with-spfit is silently ignored and no SPF result is added.Root cause
opendmarc/tests/Makefile.amincludest-verify-self-spfunconditionally inLIVE_TESTS, but the feature it exercises only works when compiled with--with-spf. It should be gated onTEST_SPF(the autoconf conditional already set by--with-spf).Fix options
Option A (preferred): gate the test in
opendmarc/tests/Makefile.am:Option B: add
--with-spfto the CI configure commands.libspf2is not required -- passing--with-spfalone (without--with-spf2-include/--with-spf2-lib) enables the internalopendmarc_spf_test()implementation already compiled intolibopendmarc.libspf2is not available in Homebrew, so this is also the only practical path on macOS.Both options are compatible and complementary.