I get Dmarc reports sent from various different sources. All of the reports generally have
<result>pass</result> for all of the sections.
However, the reports from Google always have SPF fails:
<row> <source_ip>184.108.40.206</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> . . . </auth_results> <dkim> <domain>domain.co.uk</domain> <result>pass</result> <selector>dkim</selector> </dkim> <dkim> <domain>email-od.com</domain> <result>pass</result> <selector>dkim</selector> </dkim> <spf> <domain>bounce.domain.co.uk</domain> <result>fail</result> </spf> </auth_results>
My SPF record looks like:
“v=spf1 +a +mx +a:server.domain.co.uk include:email-od.com ~all”
I am unsure why my bounce domain is failing SPF checks, but it only seems to be on Google DMARC reports.
To be honest, I am unsure what the bounce domain does, should I set up an email address – email@example.com?
Any help sorting my SPF and advice re bounce.domain.co.uk would be great.
The domain & tenant has SPF and DKIM properly configured and DMARC policy set to
p=reject. Still, emails spoofed with the domain in the
From header aren’t rejected, but appear in the Junk Email folder on Office 365. People do check their Junk Email for false positives, and are still reading all the CEO frauds, sextortion letters etc.
This seems a feature instead of a bug, as described in Microsoft’s documentation:
How Office 365 handles inbound email that fails DMARC
If the DMARC policy of the sending server is
p=reject, EOP marks the message as spam instead of rejecting it. In other words, for inbound email, Office 365 treats
p=quarantine the same way.
Office 365 is configured like this because some legitimate email may fail DMARC. For example, a message might fail DMARC if it is sent to a mailing list that then relays the message to all list participants. If Office 365 rejected these messages, people could lose legitimate email and have no way to retrieve it. Instead, these messages will still fail DMARC but they will be marked as spam and not rejected.
However, this reasoning has some flaws:
DKIM protects legitimate mail; DKIM signed messages do pass with the DMARC policy even if it fails to align with the SPF when forwarded on a mailing list. (Mailing lists should change the envelope sender to pass SPF checks, anyway, so the SPF checks are probably passed, but not aligned.)
p=reject instead of
p=quarantine the owner of the domain has stated that the emails should be rejected. Therefore, Microsoft’s implementation is against RFC 7489, 6.3:
p: Requested Mail Receiver policy ... reject: The Domain Owner wishes for Mail Receivers to reject email that fails the DMARC mechanism check. Rejection SHOULD occur during the SMTP transaction.
Is there any setting on Office 365 to alter this behaviour and reject these messages?
I have attached a DMARC report for my domain (this one sent from google). It correctly shows only mail sent from my mta (amazon ses) as passing the DMARC compliance. And the DKIM portion also shows only mail from my MTA as passing. Great.
However, this report shows lots of other hosts passing SPF authentication. Why/how is this possible? I don’t even have SPF records set in my DNS? Am I misinterpreting what this report means? Can someone explain what is happening?
A DMARC aggregate report which I received reads (irrelevant pieces removed, domains changed):
<record> <row> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <auth_results> <dkim> <domain>mail-provider.com</domain> <result>pass</result> </dkim> <spf> <domain>subdomain.mail-provider.com</domain> <result>pass</result> </spf> </auth_results> </record>
I do not understand why evaluated DMARC policy is
fail with respect to SPF. As
<auth_results> show, SPF by itself validates. AFAIK, in this case the DMARC failure can be only caused by passed SPF identity not being identity-aligned according to DMARC policy. But how could it happen in my case?
The DMARC RFC 7489 reads:
Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment.
- Domain in the “From:” field is
- SPF record for
- SPF record for
mail-provider.com contains a range of IP addresses they use to send mail from. The mail has arrived from an address in that range.
- DMARC policy for
mycompany.com does not require “strict” alignment for SPF.
I thought that the “passed SPF identity” in this case is
mail-provider.com, for DMARC to pass it needs to align with
subdomain.mail-provider.com, and it does so in “relaxed” mode. What am I missing?
About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am helpless right now and don’t really understand what is happening.
I get this message:
The DMARC test failed but we didn’t find any obvious reason why. If you recently modified your DNS, please wait a few hours and then test again.
DMARC DNS entry found for the domain _dmarc.vlastimilburian.cz:
"v=DMARC1; p=reject; adkim=s; aspf=s"
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=vlastimilburian.cz firstname.lastname@example.org header.b=CefZgBpZ; dkim-atps=neutral
mail-tester.com; dmarc=none header.from=vlastimilburian.cz
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=vlastimilburian.cz email@example.com header.b=CefZgBpZ; dkim-atps=neutral
From Domain: vlastimilburian.cz
DKIM Domain: vlastimilburian.cz
I have a ProtonMail premium plan with one custom domain and a single email address. My domain DNS is protected with DNSSEC.
I have DKIM (DomainKeys Identified Mail – wiki) also.
My SPF record is a hard-fail:
v=spf1 include:_spf.protonmail.ch mx -all
Strange thing is, both SPF, and DKIM are passing:
I did not modify my DNS in 3 days, is there any other possible reason for DMARC to fail?
A friend received a spoofed email (from Bank of America using an uber.com address) which was correctly identified as ‘spam’ by Gmail. However, looking at the raw message it seems to have passed SPF, DKIM and DMARC checks.
1) How did a spam email manage to pass SPF, DKIM and DMARC using a source domain as popular as uber.com – a domain the spammers likely don’t control?
2) Is there anything else in the message header/body which would conclusively determine the email to be spoofed? (i.e. other than probabilistic reasoning or blacklisting of elements contained within e.g. external links)
Pasted below is the entire raw message (destination email changed for anonymity).
Delivered-To: firstname.lastname@example.org Received: by 2002:a19:f009:0:0:0:0:0 with SMTP id p9csp8149944lfc; Thu, 2 May 2019 15:48:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqyhm5pZuY7Fm7UQDAafePILEmcZUG7oB/gvcd6J/EhUFwZiS3XMf65THeoGx++FQCmhzOCE X-Received: by 2002:a17:906:13d2:: with SMTP id g18mr3231656ejc.78.1556837320717; Thu, 02 May 2019 15:48:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556837320; cv=none; d=google.com; s=arc-20160816; b=eXB2eqanspJQA6s/q5LqzZmlHbIEk21g9zucGA8hxmjYVXu0b3XnZzYUdJjY5bA0at P6F6qlig4aO5N2Gsr8a9MDRSvvfAibeRTENq/7iO3gaUQIbAM9gQ/aQhV6uLiD+DoSZU dHhhwJB2GQ/5Dh6HoXNuj4SrTMn3yHOEuQA4I+Htw7B1CASkDTIKcs7CART606F33R3N hJqQWlkTlXRNKeSCVY9Ji+7Ij08mciIOJXA2ug0ZYvH9W/C1St8yENSLKfFcrJlk/U/c OyxFmB11yDK9wP9Af5JyzOlkNvGVhXgo1oZzNuB0cyY0nn/HynNrzWhhhTBohg6p92k7 9CuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:to:subject:reply-to:mime-version:from:date :dkim-signature:dkim-signature; bh=qLQDboUSSv8iAbkYL4wb/BR8FXlb49YUxc2eDjBWs5k=; b=EtdsO3m3lHH8+WCcDco6Ahfet2PLEix2p1NKcgzqD7fH+37MPmVieWp3qZo2gy0cgD VP4TGaspSGND2cjBZUqlTr6ScJPj98eRtsIOVb/CRgocSy354o72WzT43P2LXJaOSz+L Rq814M7GHwrtutY3bWpYteO2nEAg18EgSyjC7mYqYvERRa7OFhIJO36/ZnAxCGV5xWTm nd3evLaWNpsRP8eUysyOkuC1wGNW9HGCdcs0q5meSfxl+3PmYzTZ4MlrhAxvEWyPRRM4 gDnwQ7w6RUZjGtbsEWul/5zKa5HDX1jTtH4DRYWe3MaLJ4zpFPQ289mnypfpoHB9vNKb wS5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass email@example.com header.s=s1 header.b=sGXq8dN3; dkim=pass firstname.lastname@example.org header.s=smtpapi header.b=hex9bvGh; spf=pass (google.com: domain of email@example.com designates 220.127.116.11 as permitted sender) smtp.mailfrom="firstname.lastname@example.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com Return-Path: <email@example.com> Received: from o15.email.uber.com (o15.email.uber.com. [18.104.22.168]) by mx.google.com with ESMTPS id c8si312626edb.189.2019.05.02.15.48.40 for <firstname.lastname@example.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 02 May 2019 15:48:40 -0700 (PDT) Received-SPF: pass (google.com: domain of email@example.com designates 22.214.171.124 as permitted sender) client-ip=126.96.36.199; Authentication-Results: mx.google.com; dkim=pass firstname.lastname@example.org header.s=s1 header.b=sGXq8dN3; dkim=pass email@example.com header.s=smtpapi header.b=hex9bvGh; spf=pass (google.com: domain of firstname.lastname@example.org designates 188.8.131.52 as permitted sender) smtp.mailfrom="email@example.com"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=uber.com DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=uber.com; h=content-type:from:mime-version:reply-to:subject:to; s=s1; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=sGXq8dN3+HHhABwT351Y+af+nr2B8 pHTDx2MjlKRIDe7H/cnIsI/CpwpJLrb8Stp9RsP0sP5nK3TZmKHQwJedhRvBTC7n r/uPT0JSi+ONLtF9C+0qRXmWmJtqQzFf9slsVRdHaXX8RLa6yaLLzwsHuuRdaJZG o4oB6ZA5AJCesY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=sendgrid.info; h=content-type:from:mime-version:reply-to:subject:to:x-feedback-id; s=smtpapi; bh=v7x4HoONz0ezNRDnKYF0uc2hhtM=; b=hex9bvGhVyaiDwHKrN h24yUEJB4HO3pTdxhcoAK5VsaYOCXZx9p4blLSQp3uV8ew7NLo2z/zx4csNICZWh SmC8COHDgWcHciNfl43kiraXp400kRYiGsS1pHqVRX5Ob8D0JkPBK5O8DVaeruG8 CZA/6xSoS+V/bEH7nyXlXwrfc= Content-Type: multipart/alternative; boundary=05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Date: Thu, 02 May 2019 22:48:36 +0000 (UTC) From: Bank Of America <firstname.lastname@example.org> Mime-Version: 1.0 Reply-to: email@example.com Subject: [ALERT] Your account id has been blocked !! To: firstname.lastname@example.org Message-ID: <EYI_MwnGTyKSrZKHNQnOnw@ismtpd0039p1iad1.sendgrid.net> X-SG-EID: BJ2Hyk3p2HXeBi9v1wQzSyZ8DM5WrDY+tsMwP5EVk1O0bcaJmQS4hZuUFgRtapyAExYteHWmn73qmX 7VEhHR5sd3ci/g+WzM8Uf68Ux7oY1gt0agNXHr4DKEE+nngxEBm8ZP2xGBiEEEpg5Whgqt/yWpHjZ7 HukhCl3QGdVTLehqCV+7CWTGIxhA8qDvQEtuCLBT6YeFBksxtcPbtJlU+nsHzCU+ZUGuJa5/mD+y0F s7tmnWQuHkKZKYL9EbGQts X-SG-ID: Z2FxZazunBjVeNuNdzHDqrF8mxuCpi0krmont6YQrP1PhrSAm6F2vnhCz+cZmwIQQzzeNf3kS2PU4G C99ZbMEWr4lLYj5ol2knDZ/n3jZwq//ee6CYHr7NePdVS5vtJCVf7ranRUtPwlaGzBDEs80XrtvoiJ GPsexH5dsi0CLhc= X-Feedback-ID: 3504297:hpZl/F8wyMjPOktsUM9fV9PBbsSgTLHDWo42qpJEarc=:hISn6uOVLCzR0vuCEri7CQ==:SG --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Mime-Version: 1.0 Dear Valued Customer,=20 You Have A Personal Security Alert from BankOfAmerica. Sign-On https://flyingteachers.nl//wp-content/Wordpress/ Note: You will need to update your information for that service completely.= =20 =C2=A9 Copyright, BankOfAmerica, 2019.=20 Access https://google.com --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 Mime-Version: 1.0 <HTML><HEAD></HEAD> <BODY> <IMG src=3D"https://www2.bac-assets.com/homepage/spa-assets/ima= ges/assets-images-global-logos-boa-logo-CSXe4b047c0.svg" width=3D279 height= =3D64>=20 <TABLE id=3Dyui_3_7_2_1_1357636237151_3250 style=3D"FONT-SIZE: 12px; FONT-F= AMILY: Arial, Helvetica, sans-serif" cellSpacing=3D0 cellPadding=3D0 width= =3D600 border=3D0> <TBODY></TBODY></TABLE><BR>Dear Valued Customer, <BR><BR>You Have A Person= al Security Alert from BankOfAmerica.<BR> <P></P> <P><FONT id=3Dyui_3_16_0_1_1399663152274_19869 style=3D"FONT-SIZE: 12px; CO= LOR: #333333; LINE-HEIGHT: 18px" face=3D"Verdana, sans-serif"> <TABLE id=3Dyui_3_16_0_1_1399663152274_48813 style=3D"BACKGROUND: no-repeat= left top" height=3D15 cellSpacing=3D0 cellPadding=3D0 width=3D111 bgColor= =3D#6cae35 border=3D0> <TBODY id=3Dyui_3_16_0_1_1399663152274_48812> <TR id=3Dyui_3_16_0_1_1399663152274_48811 bgColor=3D#6cae35> <TD id=3Dyui_3_16_0_1_1399663152274_48862 bgColor=3D#6cae35 vAlign=3Dmiddle= width=3D15 align=3Dcenter><FONT size=3D2><HTTPS: id=3Dyui_3_16_0_1_1399663= 152274_48861 width=3D"15" height=3D"15" email_cta_arrow.gif=3D"" media=3D""= static_assets=3D"" mcontent=3D"" content.usaa.com=3D""></HTTPS:></FONT></T= D> <TD id=3Dyui_3_16_0_1_1399663152274_48810 bgColor=3D#6cae35 vAlign=3Dmiddle= width=3D96 align=3Dcenter><A id=3Dyui_3_16_0_1_1399663152274_48814 style= =3D"TEXT-DECORATION: none; COLOR: #fff; FONT: bold 11px arial, sans-serif" = href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIfRAMGF2= MPDMqrIBax6TjqHI26EB2dJUvOpfb6-2BtHW1GBBasvV-2BPdUGxE65m1S0AUw-3D-3D_upBRTD= Ma1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2= BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDx= gGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEp9Ag= pJI7RnaO6AO3D5pLjHBeAsWMwbWL4o9BhEfMC8cT0zWfUna8GP3wEKDFrXWVmspJeNCXCcqbUUp= SUF49HwDS-2F279HaQ-2BkL8PVsX8eMAvnRBRi8DRIAWf938W9MaPq8yv9aeEq8G6uedSgCjCX1= FAAhXKhtxerCOMO6JhOYPlm2-2FHX633X1SrBaiTYZGOw-3D-3D" rel=3Dnofollow target= =3D_blank>Sign-On</A></TD></TR></TBODY></TABLE></FONT></P>Note: You will ne= ed to update your information for that service completely. <BR><BR><FONT id= =3Dyui_3_13_0_1_1398145588576_6499 size=3D1></FONT><FONT size=3D2>=C2=A9 Co= pyright, BankOfAmerica, 2019.</FONT>=20 <img src=3D"http://email.uber.com/wf/open?upn=3DupBRTDMa1f8arr27T-2FChSHKA0= 2CtoItCQ9e6PNbvcG9XxnPK4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz= 9Yr529xiH9tDHJLxlZMIShGPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2= BdDdmBj2b7z5S6KGHutMpn48l3JhaVOuRvB-2F5niKuSo53oVEnZOKS1AsqehIRfEXmYLYu3fhQ= UZgheXahrlWwKmrfQylaw7Y2sX09qWBC67FiV-2Fwmf5O6ZvgYoAV3vtQZhLjSa6B7I0DiwhfzK= 11lBOmIXiMuUc30aqH9s9sDIGqnGR8O-2Fdgjw-2FWHQjWqMlfMnd1TWWYULqOl5xYb-2BD-2B1= JMvHPISuLN3S-2BBtXPo-2BSzlYb9YTw-3D-3D" alt=3D"" width=3D"1" height=3D"1" b= order=3D"0" style=3D"height:1px !important;width:1px !important;border-widt= h:0 !important;margin-top:0 !important;margin-bottom:0 !important;margin-ri= ght:0 !important;margin-left:0 !important;padding-top:0 !important;padding-= bottom:0 !important;padding-right:0 !important;padding-left:0 !important;"/= > </BODY></HTML> <a href=3D"http://email.uber.com/wf/click?upn=3D-2FQ0tIReEQQvMTn37D6ijIUDYH= X2-2FyU5mi0Enz-2FchsQI-3D_upBRTDMa1f8arr27T-2FChSHKA02CtoItCQ9e6PNbvcG9XxnP= K4VYSIoINuPPUDOYMFaHDvWWc6mRXY-2BjkyEJ4uGUdSbHsos4WOz9Yr529xiH9tDHJLxlZMISh= GPk0S8U4onf5vQHto3-2B7-2BwbS3DDxgGjcR-2BFeB1tfaZTkc-2BdDdmBj2b7z5S6KGHutMpn= 48l3JhaVOuRvB-2F5niKuSo53oVEggJcxBzsBUTFT7XWbdRLfOKJHct29bBLqq-2FiX-2BnFPQ-= 2BLCqjk6YuSfSFkaKdm5QvdZMBusseXcTQlJhzVP-2Beo5392uwTJHnkaMczik43b2te8teMEjS= hfujpSCF4MTUkjQ5IBldCR7EOeT4-2BF6vpq0Ctnr2W7ZarsqWFftMiNy8s-2BU-2F5eF1gGJwN= 7E92IF4inQ-3D-3D" target=3D"_blank" rel=3D"noopener">Access</a> --05837142e85bc2c4ac09b1d30a5ba3fe4f9b7871babe88f65414e2efb0b2--
DMARC produces “pass” result if and only if at least one of SPF and DKIM checks pass. It has been noted that DKIM provides stronger protection of the two (if implemented properly). But, in order to require namely DKIM passing by a DMARC policy, one needs to “disable” SPF (either by not publishing SPF records or by publishing an SPF record which disallows everything).
I do not understand the reason for such design of DMARC: there are two checks (SPF and DKIM), but there is no way to enforce a particular one of the two by the policy. It requires changing the other check itself.
What could be the reason for the DMARC specification to have no flags for specifically requiring either of (SPF, DKIM) to pass?
My website is up and running on www.example.com and I am sending automated emails from my email address email@example.com. DMARC and SPF seem to setup accordingly:
_dmarc : v=DMARC1;p=none;pct=100;rua=mailto:firstname.lastname@example.org;ruf=mailto:email@example.com
spf : v=spf1 a mx include:_spf.elasticemail.com ~all
However, I keep receiving email reports from google and yahoo saying that my email is not authenticated. When I use free DMARC analysers, it says (as warning):
No DMARC Record found for sub-domain. Organization Domain of this sub-domain is: example.com Inbox Receivers will apply example.com DMARC record to mail sent from www.example.com
Another one says (as warning):
A DMARC record is defined, but there are some issues with the configuration that may impact security, visibility, and deliverability for email sent from this domain.
DMARC is not at enforcement for example.com. Anyone can send messages purporting to be from addresses on this domain or its subdomains.
Whatever I have done, I couldn’t overcome this issue. What am I doing wrong? Is it all because my domain is www.example.com and I am using firstname.lastname@example.org subdomain to send the email?
I have spent a bit of time researching SPF, DKIM and DMARC mechanisms however If I understand correctly, these help the recipient to confirm whether the domain is legitimate but only if they have these mechanisms configured correctly and implemented.
In a scenario where the recipient does not have these particular mechanisms in place or misconfigured, could a spammer potentially use my email address to send the recipient spam?
So far it looks like your organization relies on the fact that you have configured SPF, DKIM and DMARC correctly as well as all recipients, to completely prevent your domain from being spoofed.
Or am I misunderstanding something here?
I began using ProtonMail email service, I like it that much, that I connected my domain yesterday and did appropriate changes to DNS.
This page of ProtonMail’s knowledgebase says how DMARC shall be set up. An image for the words:
I have successfully connected my domain, set up SPF, DKIM, and I believe I’m ready for DMARC.
The thing is:
I am unsure if it’s a good idea to set it with
Do I need to specify any other things like
ruf or anything else if I wanted to make it
My current status is: