Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SPF + DKIM pass and DMARC fails

The domain s****g.nl has the following DMARC record:

"v=DMARC1; p=reject; rua=mailto:postmaster@s****g.nl, mailto:dmarc@s****g.nl"

A valid SPF record for the sending mail server and none DKIM record.

The domain fo***de.com has a valid SPF and DKIM record.


Example 1

Result:

  • SPF: PASS
  • DKIM: FAIL
  • DMARC: PASS

Example 2

Result:

  • SPF: PASS
  • DKIM: PASS
  • DMARC: FAIL

So when I send the email using a sender (on behalf of) the DMARC fails and the mail is not delivered.

Is there a explanation for this and maybe a solution to send emails on behalf of a domain which contains a DMARC reject policy and have a valid SPF for the sending mailserver?

Edit:

[Screenshot results...][1]

like image 788
Stefan Groenewoud Avatar asked Oct 12 '16 10:10

Stefan Groenewoud


1 Answers

I have a feeling, it's failing on your ADKIM and ASPF Tests of DMARC. If SPF and DKIM passes, then it must be failing on both alignment tests.

Read this to understand more about Identifier Alignments

I seen several cases where there DKIM Validator is coded wrong and it will fail DMARC when it fails 1 alignment test, but both must fail according to the RFC Standards.

The only alignment tester I know about is this email tester, if you post the full headers of the sent emails. It'll be much easier to understand what might be wrong. You're only sharing part of the information and it's impossible to make a 100% accurate assessment. But I'm 80% confident the issue is with the alignment.

Based on the image you linked of your headers, I added an "a" to the beginning and "1" to the end so bots don't spam you.

Return-Path = response@afo***de1.com
DKIM Signature = d=afo***de1.com
From = info@as**g1.nl 

So for ADKIM alignment to Pass the "from" domain must match the "d=" domain of the dkim signature

info@as**g1.nl <> afo***de1.com

For the ASPF Alignment to pass the "return-path" domain must match the "from" domain

afo***de1.com <> as**g1.nl 

One of those need to match in order for DMARC to pass.

like image 140
Henry Avatar answered Sep 19 '22 10:09

Henry