We are seeing a large number of DMARC rejects from google from emails that have both a valid DKIM signature and a valid SPF sender. We have validated this by sending the same emails to other ISPs and these arrive and the headers agree with our findings. It appears that google are rejecting those emails, but they are also not sending us any dmarc reports, whereas we are getting reports (for the same domain) from other ISPs, so the DMARC configuration is present and working.
The record is as follows;
v=DMARC1; p=reject; ruf=mailto:[email protected]; rua=mailto:[email protected]; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=28800; sp=reject;
Domain is anonymised, but the rest is correct. From what I remember, we were getting reports prior to changing the policy to reject.
Any suggestions?
Edit
Rejection message
Jul 19 15:24:04 uksvl-web03-rs postfix/smtp[18671]: C180250BFA: to=<recipient.email>, relay=aspmx.l.google.com[64.233.167.27]:25, delay=0.66, delays=0.32/0/0.04/0.31, dsn=5.7.26, status=bounced (host aspmx.l.google.com[64.233.167.27] said: 550-5.7.26 Unauthenticated email from mydomain.com is not accepted due to 550-5.7.26 domain's DMARC policy. Please contact the administrator of 550-5.7.26 mydomain.com domain if this was a legitimate mail. Please visit 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.26 DMARC initiative. p13-20020adfe60d000000b00314343692b7si2238651wrm.545 - gsmtp (in reply to end of DATA command))
Example authentication results
Authentication-Results: spf=pass (sender IP is x.x.x.x)
smtp.mailfrom=uksvl-web03-rs.mydomain.com; dkim=pass (signature was verified)
header.d=senderdomain.com;dmarc=pass action=none
header.from=senderdomain.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of
uksvl-web03-rs.mydomain.com designates x.x.x.x as permitted sender)
receiver=protection.outlook.com; client-ip=x.x.x.x;
helo=uksvl-web03-rs.mydomain.com; pr=C
550 5.7.26 rejected for this particular reason.. Please visit https://support.google.com/mail/answer/01234 .. asd.123 - gsmtp
). Find and show us theAuthentication-Results:
headers of sample a message Google rejected but someone else accepted.senderdomain.com._report._dmarc IN TXT "v=DMARC1"
.