Skip to main content

Questions tagged [dmarc]

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism by which the owner of a domain uses specially formed DNS records to express domain-level policies and preferences for email validation, disposition, and reporting.

Filter by
Sorted by
Tagged with
46 votes
5 answers
79k views

Find DKIM and DMARC Records?

Is there a method to find a domain's DKIM and DMARC records using dig or nslookup? I have attempted to do the following: dig somedomain.org any returns many records, but not the known DKIM and ...
Evil Genius's user avatar
20 votes
2 answers
17k views

What does rua and ruf stand for in the DMARC spec?

I've searched all over Google and unable to find why these reports are named "rua" and "ruf". They don't seem random, but also don't appear to easily translates in an obvious way to their definitions....
cavalcade's user avatar
  • 351
17 votes
2 answers
3k views

DNS MX/SPF/DMARC records without actuall emails on domain

I created website for someone, but also someone (I guess some SEO guy) told this person that I made big mistake because there are missing DNS records on domain (mx, SPF, dmarc). Now I need to "...
norr's user avatar
  • 273
17 votes
3 answers
8k views

SPF/DKIM/DMARC for Gmail "Send mail as" via smtp.gmail.com on external domain

Since "Google Apps" / "Google Apps for business" / "G-Suite" / "Google Workspaces" free tier is being discontinued, I need a solution to migrate my ~30 extended ...
Ozzah's user avatar
  • 279
16 votes
1 answer
6k views

DKIM: Can I use a RSA key larger than 2048bit, i.e. 4096?

I wonder if I can simply use a 4096bit RSA key for DKIM (in DNS TXT Record). Are there any downsides (neglecting computational effort)? Maybe there are mail servers which can't handle a key this large?...
Florian Schneider's user avatar
15 votes
2 answers
19k views

What does dis=NONE mean in an email's Authentication-Results header?

The following is from an email I received recently: Authentication-Results: mx.google.com; spf=neutral; dkim=pass [email protected]; dmarc=pass (p=REJECT dis=NONE) header.from=...
Alex Henrie's user avatar
15 votes
3 answers
7k views

DMARC Alignment: Enforce messages pass BOTH SPF and DKIM

Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF? We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report ...
Noah Hall-Potvin's user avatar
13 votes
3 answers
13k views

Why does DMARC operate on the From-address, and not the envelope sender (Return-Path)?

Several emails sent from my webserver to a Gmail address, where the From: address is [email protected], have been marked as spam by Gmail. The From: field is populated from form data, and ...
EelkeSpaak's user avatar
12 votes
1 answer
7k views

Why don't my domain's messages to a google group get their headers rewritten so DMARC can pass?

Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the ...
lordbyron's user avatar
  • 371
12 votes
4 answers
8k views

Why is my opendmarc failing pretty much everything that comes through?

I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone: example.com. 600 IN MX ...
Morpheu5's user avatar
  • 279
11 votes
2 answers
22k views

DMARC failed, but SPF pass

If i sent a mail from my website (on a private server) to [email protected], i have this report : <record> <row> <source_ip>x.x.x.x</source_ip> <count>1&...
griotteau's user avatar
  • 271
11 votes
4 answers
18k views

SPF + DKIM + DMARC with Gmail account and external mail server

I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be ...
cptBuggy's user avatar
  • 111
10 votes
3 answers
22k views

Why is my email failing Gmail's DKIM test?

I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM? I am in control of "example.com". Our mail server is "server.example.com" ...
nielsbot's user avatar
  • 223
10 votes
2 answers
4k views

DMARC reporting unexpected SPF IP but DKIM still passes

I have both SPF and DKIM enabled on my domain. This domain is for a small company and we only have the one server (hMailServer if anyone thinks it's relevant). Recently I decided to enabled DMARC ...
Fr33dan's user avatar
  • 171
10 votes
2 answers
6k views

DMARC and DKIM alignment with multiple DKIM signatures

If an email contains multiple DKIM signatures as it's forwarded, how does DMARC process the DKIM alignment check? Does ANY passing DKIM signature d= parameter have to match Header From? or Does the ...
Novox's user avatar
  • 504
8 votes
2 answers
9k views

How many emails can I put in one dmarc record's rua attribute?

How many emails can I put in one dmarc record? Is the following invalid because there are three mailto attributes? All the examples I see online have two addresses at most. "v=DMARC1; p=reject; rua=...
ThisClark's user avatar
  • 298
8 votes
2 answers
14k views

Email server: Remove rua from DMARC DNS entry or stop receiving DMARC reports

I have the following DNS entry for one of my clients email servers: _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]" This is the only email server I'm administering, which has a ...
manifestor's user avatar
  • 6,469
8 votes
1 answer
5k views

Not receiving any RUF DMARC reports (forensic) but are getting RUA (agg reports)

For about 5 days now, i have been successfully receiving several DMARC RUA (aggregate reports) reports from a few ISPs, however i have yet to receive a single RUF message/forensic email, even though ...
James Gaul's user avatar
8 votes
2 answers
3k views

DMARC test failed but we didn't find any obvious reason why; DMARC not passing while SPF and DKIM do

About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am ...
Vlastimil Burián's user avatar
7 votes
3 answers
2k views

Strange characters appearing in some DNS checkers, but not others for DKIM and SPF, possibly causing DMARC to fail

Emails sent from all 3 email addresses I have set up in the Rackspace Cloudways Add-On are ending up in Spam in GMail. When I "View Original Message" in GMail, I see... SPF: NEUTRAL with ...
clayRay's user avatar
  • 181
7 votes
2 answers
7k views

DMARC fail, but DKIM and SPF are passing

I am using AWS SES (in sandbox mode) to send an email to a GMail address. Unfortunately it gets flagged as spam. Google is nice enough to tell me in the message details that it is a DMARC failure I ...
YannP's user avatar
  • 203
7 votes
2 answers
14k views

Receiving DMARC reports for emails I do not send

I am hosting the email for my domain (lets call it example.com) on google apps (free legacy edition). I recently enabled the DMARC reports so I now get a daily report for the emails sent from my ...
DorAga's user avatar
  • 161
7 votes
1 answer
445 views

Which has bigger priority between DMARC and SPF?

First off let me start by saying I understand DMARC and SPF do not do the same thing. However both have an option to tell the receiving servers what to do with mails that do not pass SPF (and DKIM in ...
Frizlab's user avatar
  • 173
6 votes
7 answers
4k views

What format are DMARC dates?

I have a DMARC report that includes: <date_range> <begin>1500249600</begin> <end>1500335999</end> </date_range> How do I convert the dates to something human?
Greg Pagendam-Turner's user avatar
6 votes
1 answer
4k views

Mail from Teams forwarded to Gmail marked as spam due to DMARC failure

When I write a chat message in Microsoft Teams the receiver gets an e-mail notification on her Office 365 account ([email protected]) when she is offline in Teams. The receiver set it up so that all ...
Johannes Egger's user avatar
6 votes
1 answer
1k views

DMARC: must rua email match domain?

I'm trying to implement DMARC for a domain and the address specified in the rua tag is my own personal email for convenience. I have been receiving aggregate reports only from a handful of ESPs, and ...
Bintz's user avatar
  • 415
6 votes
4 answers
17k views

Is it OK to set up a DMARC record with no rua and ruf tags?

All of my systems ask me to set up a DMARC record, and I want to. It seems to be universally recommended now. However, no one will be monitoring the email performance of the website, or would know how ...
hommealone's user avatar
6 votes
1 answer
3k views

Is GMAIL incorrectly failing SPF?

0365 mail users are encouraged to use include:spf.protection.outlook.com -all in their SPF record. I have followed this guidance. My company's spf record says: v=spf1 include:spf.protection.outlook....
OzPHB's user avatar
  • 239
6 votes
2 answers
4k views

Why does spf fail in DMARC report from Google?

I recently received a DMARC report from Google alerting me of a few SPF failures with mail originating from IP addresses belonging to Amazon SES. A sample record is as follows (I have replaced our ...
Leo Galleguillos's user avatar
6 votes
1 answer
637 views

Is email deliverability impossible with a .name email address?

I have a dot name domain. .name is an odd TLD: they originally only offered third level domains, eg first.last.name, so that more people could get their own name. They also included the first@last....
ryan's user avatar
  • 291
6 votes
2 answers
2k views

Designating A DKIM Signer Other Than The "From" Domain

A few months ago, I implemented SPF/DKIM/DMARC for my three-person company. After a trial period, I switched our DMARC to "p=reject", so that emails are rejected if they fail SPF/DKIM. Generally, it ...
joseph_morris's user avatar
5 votes
2 answers
2k views

Turn off DMARC report for pass

I would like to receive reports only for DMARC quarantined mail and failures, but I still receive mails for every successful e-mail that has been sent from my server. Configuration in dns looks like ...
Hynek Bernard's user avatar
5 votes
2 answers
17k views

how to configuration dkim on exchange email server

Mails sent from our internal email server to public servers such as Gmail, Yahoo and all other external organizations are delivering to spam. We currently use exchange server, in order to tackle above ...
enkhtuvshin's user avatar
5 votes
1 answer
6k views

why is this DMARC failing verification?

I get a 6.1/10 score on mail-tester.com, where the DMARC verification is the only relevant penalty (-3). * Your DKIM signature is valid * Your message failed the DMARC verification A DMARC policy ...
Stuck's user avatar
  • 153
5 votes
1 answer
7k views

Is it a DMARC failure if disposition=none & dkim=fail?

When I get one of these DMARC reports from Google is it because there is a problem? Or is it standard protocol. I am curious because I sent one test email and got this DMARC report to abuse@...
mister mcdoogle's user avatar
5 votes
1 answer
3k views

DMARC strict vs relaxed alignment?

I've been configuring DNS records for a mail server and got stuck when it came to DMARC's alignments. I know that both relaxed and strict are valid options, as well as relaxed being default setting. ...
user avatar
5 votes
1 answer
14k views

Improve Spam Confidence Level (SCL) for outgoing emails

I have a postfix SMTP server on Ubuntu. I have valid SPF and DKIM records, as verified by the email header my customer received. Authentication-Results: spf=pass (sender IP is XXX.XXX.XXX.XXX) ...
Raptor's user avatar
  • 1,041
5 votes
1 answer
2k views

NOT receiving DMARC reports from AOL / HOTMAIL / MSN / OUTLOOK / LIVE

My DMARC DNS record looks like this: (domain name is redacted) _dmarc.domain.com TXT "v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; rf=afrf; pct=100; ri=...
whallz's user avatar
  • 103
4 votes
2 answers
3k views

How can you tell the difference between rua and ruf DMARC reports?

I have a client that's receiving DMARC reports from various providers however the reports indicate that all checks 'PASS' and all DMARC/DKIM/SPF checking tools indicate the DMARC records are fine. ...
user315851's user avatar
4 votes
2 answers
3k views

Only enable SRS when forwarding to enable DMARC

I am setting up a mail server on my VPS and in order to prevent spam and being marked as spam I have enabled SPF, DKIM and DMARC. However, I do not want to host my own mailbox, so I forward the ...
Matthijs Steen's user avatar
4 votes
1 answer
2k views

correct order for Postfix milters

I use the following milters with Postfix: ClamAV, OpenDKIM, OpenDMARC, Rspamd This is also the order they are being called via smtpd_milters. What would be the best order for them regarding ...
basbebe's user avatar
  • 313
4 votes
1 answer
3k views

DMARC 'sampled out' policy override effect in GMail server

Anyone know what actually a sampled out override reason mean in DMARC aggregated daily reports? I only get those from GMail and recently I've got some complains of undelivered messages from recipients ...
squirrely's user avatar
  • 219
4 votes
1 answer
2k views

How to prevent emails from my domain through mailing lists to be rejected due to DMARC

I operate my own mail server at speedofsoundgaming.com and mwtd.net. I recently added a DMARC record to my domain to help prevent spam, and once seeing that things seemed to be working, upped the ...
Michael Taboada's user avatar
4 votes
1 answer
2k views

DMARC failing on Mailgun when forwarding occurs

We recently increased to a quarantine policy and are thinking of going to reject - but we stumbled across an issue we can't seem to identify a root cause for. Specifically, forwarded e-mails appear to ...
Eli's user avatar
  • 41
4 votes
1 answer
279 views

How to recover domain name from previous bad SPF record?

TL;DR: We had SPF too permissive (+all) and spammers used this to send tons of spam "from" our domain. We restricted that to ~all and added DMARC (not DKIM though), now other providers do not trust ...
Alexey Kamenskiy's user avatar
4 votes
1 answer
6k views

DMARC is blocking email that seems like it should be allowed

This is the DMARC record we have set v=DMARC1; p=reject; rua=mailto:[redacted]@coinbase.com; adkim=r; aspf=s So we are rejecting any not match with SPF strictly, and DKIM is relaxed. Here is the ...
Brian Armstrong's user avatar
3 votes
4 answers
413 views

Why use DMARC when SPF -all can do the job?

With DMARC I can set the policy to rejct mail. But isn’t it the same I can do with -all from within a SPF? Same goes for quarantine and a softfail ~all. Beside the reporting where is the benefit ...
Gordo2019's user avatar
3 votes
2 answers
6k views

SPF and DKIM help: Do the FAIL reports from DMARC indicate an issue?

I am having trouble determining if my SPF and DKIM are configured properly. Here are key details: My domain is mysteryscience.com We send mail from google apps, from SendGrid, and from Intercom. All ...
Keith Schacht's user avatar
3 votes
1 answer
533 views

How to get SPF alignment to pass DMARC for a subdomain?

I have the following DNS configuration: $ dig +noall +answer -t txt example.com example.com. 626 IN TXT "v=spf1 +a +mx include:sendgrid.net include:_spf.google.com -all" $ dig +noall +...
tftd's user avatar
  • 1,550
3 votes
1 answer
294 views

When using a subdomain with DMARC configured to send RUA, is it necessary to add DMARC reports TXT record?

If I send an email from [email protected] with [email protected] in the DMARC record of subdomain.example.com, is it necessary to create a DMARC reports TXT record (e.g., subdomain....
Paul's user avatar
  • 3,187

1
2 3 4 5 6