1

We are seeing a large number of DMARC rejects from google from emails that have both a valid DKIM signature and a valid SPF sender. We have validated this by sending the same emails to other ISPs and these arrive and the headers agree with our findings. It appears that google are rejecting those emails, but they are also not sending us any dmarc reports, whereas we are getting reports (for the same domain) from other ISPs, so the DMARC configuration is present and working.

The record is as follows;

v=DMARC1; p=reject; ruf=mailto:[email protected]; rua=mailto:[email protected]; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=28800; sp=reject;

Domain is anonymised, but the rest is correct. From what I remember, we were getting reports prior to changing the policy to reject.

Any suggestions?

Edit

Rejection message

Jul 19 15:24:04 uksvl-web03-rs postfix/smtp[18671]: C180250BFA: to=<recipient.email>, relay=aspmx.l.google.com[64.233.167.27]:25, delay=0.66, delays=0.32/0/0.04/0.31, dsn=5.7.26, status=bounced (host aspmx.l.google.com[64.233.167.27] said: 550-5.7.26 Unauthenticated email from mydomain.com is not accepted due to 550-5.7.26 domain's DMARC policy. Please contact the administrator of 550-5.7.26 mydomain.com domain if this was a legitimate mail. Please visit 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.26 DMARC initiative. p13-20020adfe60d000000b00314343692b7si2238651wrm.545 - gsmtp (in reply to end of DATA command))

Example authentication results

Authentication-Results: spf=pass (sender IP is x.x.x.x)
 smtp.mailfrom=uksvl-web03-rs.mydomain.com; dkim=pass (signature was verified)
 header.d=senderdomain.com;dmarc=pass action=none
 header.from=senderdomain.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of
 uksvl-web03-rs.mydomain.com designates x.x.x.x as permitted sender)
 receiver=protection.outlook.com; client-ip=x.x.x.x;
 helo=uksvl-web03-rs.mydomain.com; pr=C
6
  • Share the name of the (by nature, public anyway) record containing the key, so we can check whether any software we use fails to retrieve or parse your key from DNS. Share the message Google gave you (from the SMTP transcript, should look something like 550 5.7.26 rejected for this particular reason.. Please visit https://support.google.com/mail/answer/01234 .. asd.123 - gsmtp). Find and show us the Authentication-Results: headers of sample a message Google rejected but someone else accepted.
    – anx
    Commented Jul 19, 2023 at 21:04
  • @anx I have added the rejetion message and an example of the authentication results we are seeing, but this is a test message and is not being sent to google. I have added a bcc to the email server and will get the headers from an email rejected by google.
    – Kinexus
    Commented Jul 19, 2023 at 21:34
  • 1
    I still wonder if your DKIM signature is mathematically valid, yet worthless (bad algo, configuration or in case of RSA, chosen key size). Have it validated by a software that would explain so, if uncertain just use a public service like mail-tester.com
    – anx
    Commented Jul 19, 2023 at 21:45
  • 1
    @anx I have checked the configuration of SPf, DKIM, DMARC using multiple external tools and no issues are reported by any of them. I added a always_bcc option to our mail server last night and have caught occurences of an email that was rejected by google but accepted by outlook.com. Reviewing the headers for these and the Authentication Results are all green and look exactly like the example above. I would add that the report email for DMARC is not the same domain as the sender, but again we get reports from other ISPs in that configuration and for multiple domains.
    – Kinexus
    Commented Jul 20, 2023 at 7:12
  • 1
    Google might be more strict than most ESPs in determining to send reports or not if the domain in the rua tag does not match the domain for which DMARC was checked. In your example case you can add a record to mydomain.com: senderdomain.com._report._dmarc IN TXT "v=DMARC1".
    – Reinto
    Commented Jul 27, 2023 at 18:46

0

You must log in to answer this question.

Browse other questions tagged .