Questions tagged [dmarc]
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism by which the owner of a domain uses specially formed DNS records to express domain-level policies and preferences for email validation, disposition, and reporting.
253
questions
46
votes
5
answers
79k
views
Find DKIM and DMARC Records?
Is there a method to find a domain's DKIM and DMARC records using dig or nslookup?
I have attempted to do the following:
dig somedomain.org any
returns many records, but not the known DKIM and ...
20
votes
2
answers
17k
views
What does rua and ruf stand for in the DMARC spec?
I've searched all over Google and unable to find why these reports are named "rua" and "ruf".
They don't seem random, but also don't appear to easily translates in an obvious way to their definitions....
17
votes
2
answers
3k
views
DNS MX/SPF/DMARC records without actuall emails on domain
I created website for someone, but also someone (I guess some SEO guy) told this person that I made big mistake because there are missing DNS records on domain (mx, SPF, dmarc). Now I need to "...
17
votes
3
answers
8k
views
SPF/DKIM/DMARC for Gmail "Send mail as" via smtp.gmail.com on external domain
Since "Google Apps" / "Google Apps for business" / "G-Suite" / "Google Workspaces" free tier is being discontinued, I need a solution to migrate my ~30 extended ...
16
votes
1
answer
6k
views
DKIM: Can I use a RSA key larger than 2048bit, i.e. 4096?
I wonder if I can simply use a 4096bit RSA key for DKIM (in DNS TXT Record).
Are there any downsides (neglecting computational effort)?
Maybe there are mail servers which can't handle a key this large?...
15
votes
2
answers
19k
views
What does dis=NONE mean in an email's Authentication-Results header?
The following is from an email I received recently:
Authentication-Results: mx.google.com;
spf=neutral;
dkim=pass [email protected];
dmarc=pass (p=REJECT dis=NONE) header.from=...
15
votes
3
answers
7k
views
DMARC Alignment: Enforce messages pass BOTH SPF and DKIM
Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF?
We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report ...
13
votes
3
answers
13k
views
Why does DMARC operate on the From-address, and not the envelope sender (Return-Path)?
Several emails sent from my webserver to a Gmail address, where the From: address is [email protected], have been marked as spam by Gmail. The From: field is populated from form data, and ...
12
votes
1
answer
7k
views
Why don't my domain's messages to a google group get their headers rewritten so DMARC can pass?
Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the ...
12
votes
4
answers
8k
views
Why is my opendmarc failing pretty much everything that comes through?
I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:
example.com. 600 IN MX ...
11
votes
2
answers
22k
views
DMARC failed, but SPF pass
If i sent a mail from my website (on a private server) to [email protected], i have this report :
<record>
<row>
<source_ip>x.x.x.x</source_ip>
<count>1&...
11
votes
4
answers
18k
views
SPF + DKIM + DMARC with Gmail account and external mail server
I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be ...
10
votes
3
answers
22k
views
Why is my email failing Gmail's DKIM test?
I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM?
I am in control of "example.com". Our mail server is "server.example.com" ...
10
votes
2
answers
4k
views
DMARC reporting unexpected SPF IP but DKIM still passes
I have both SPF and DKIM enabled on my domain. This domain is for a small company and we only have the one server (hMailServer if anyone thinks it's relevant).
Recently I decided to enabled DMARC ...
10
votes
2
answers
6k
views
DMARC and DKIM alignment with multiple DKIM signatures
If an email contains multiple DKIM signatures as it's forwarded, how does DMARC process the DKIM alignment check?
Does ANY passing DKIM signature d= parameter have to match Header From?
or
Does the ...
8
votes
2
answers
9k
views
How many emails can I put in one dmarc record's rua attribute?
How many emails can I put in one dmarc record? Is the following invalid because there are three mailto attributes? All the examples I see online have two addresses at most.
"v=DMARC1; p=reject; rua=...
8
votes
2
answers
14k
views
Email server: Remove rua from DMARC DNS entry or stop receiving DMARC reports
I have the following DNS entry for one of my clients email servers:
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"
This is the only email server I'm administering, which has a ...
8
votes
1
answer
5k
views
Not receiving any RUF DMARC reports (forensic) but are getting RUA (agg reports)
For about 5 days now, i have been successfully receiving several DMARC RUA (aggregate reports) reports from a few ISPs, however i have yet to receive a single RUF message/forensic email, even though ...
8
votes
2
answers
3k
views
DMARC test failed but we didn't find any obvious reason why; DMARC not passing while SPF and DKIM do
About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am ...
7
votes
3
answers
2k
views
Strange characters appearing in some DNS checkers, but not others for DKIM and SPF, possibly causing DMARC to fail
Emails sent from all 3 email addresses I have set up in the Rackspace Cloudways Add-On are ending up in Spam in GMail.
When I "View Original Message" in GMail, I see...
SPF: NEUTRAL with ...
7
votes
2
answers
7k
views
DMARC fail, but DKIM and SPF are passing
I am using AWS SES (in sandbox mode) to send an email to a GMail address.
Unfortunately it gets flagged as spam.
Google is nice enough to tell me in the message details that it is a DMARC failure
I ...
7
votes
2
answers
14k
views
Receiving DMARC reports for emails I do not send
I am hosting the email for my domain (lets call it example.com) on google apps (free legacy edition). I recently enabled the DMARC reports so I now get a daily report for the emails sent from my ...
7
votes
1
answer
445
views
Which has bigger priority between DMARC and SPF?
First off let me start by saying I understand DMARC and SPF do not do the same thing.
However both have an option to tell the receiving servers what to do with mails that do not pass SPF (and DKIM in ...
6
votes
7
answers
4k
views
What format are DMARC dates?
I have a DMARC report that includes:
<date_range>
<begin>1500249600</begin>
<end>1500335999</end>
</date_range>
How do I convert the dates to something human?
6
votes
1
answer
4k
views
Mail from Teams forwarded to Gmail marked as spam due to DMARC failure
When I write a chat message in Microsoft Teams the receiver gets an e-mail notification on her Office 365 account ([email protected]) when she is offline in Teams. The receiver set it up so that all ...
6
votes
1
answer
1k
views
DMARC: must rua email match domain?
I'm trying to implement DMARC for a domain and the address specified in the rua tag is my own personal email for convenience. I have been receiving aggregate reports only from a handful of ESPs, and ...
6
votes
4
answers
17k
views
Is it OK to set up a DMARC record with no rua and ruf tags?
All of my systems ask me to set up a DMARC record, and I want to. It seems to be universally recommended now. However, no one will be monitoring the email performance of the website, or would know how ...
6
votes
1
answer
3k
views
Is GMAIL incorrectly failing SPF?
0365 mail users are encouraged to use include:spf.protection.outlook.com -all in their SPF record.
I have followed this guidance. My company's spf record says:
v=spf1 include:spf.protection.outlook....
6
votes
2
answers
4k
views
Why does spf fail in DMARC report from Google?
I recently received a DMARC report from Google alerting me of a few SPF failures with mail originating from IP addresses belonging to Amazon SES. A sample record is as follows (I have replaced our ...
6
votes
1
answer
637
views
Is email deliverability impossible with a .name email address?
I have a dot name domain. .name is an odd TLD: they originally only offered third level domains, eg first.last.name, so that more people could get their own name. They also included the first@last....
6
votes
2
answers
2k
views
Designating A DKIM Signer Other Than The "From" Domain
A few months ago, I implemented SPF/DKIM/DMARC for my three-person company. After a trial period, I switched our DMARC to "p=reject", so that emails are rejected if they fail SPF/DKIM. Generally, it ...
5
votes
2
answers
2k
views
Turn off DMARC report for pass
I would like to receive reports only for DMARC quarantined mail and failures, but I still receive mails for every successful e-mail that has been sent from my server.
Configuration in dns looks like ...
5
votes
2
answers
17k
views
how to configuration dkim on exchange email server
Mails sent from our internal email server to public servers such as Gmail, Yahoo and all other external organizations are delivering to spam. We currently use exchange server, in order to tackle above ...
5
votes
1
answer
6k
views
why is this DMARC failing verification?
I get a 6.1/10 score on mail-tester.com, where the DMARC verification is the only relevant penalty (-3).
* Your DKIM signature is valid
* Your message failed the DMARC verification
A DMARC policy ...
5
votes
1
answer
7k
views
Is it a DMARC failure if disposition=none & dkim=fail?
When I get one of these DMARC reports from Google is it because there is a problem? Or is it standard protocol. I am curious because I sent one test email and got this DMARC report to abuse@...
5
votes
1
answer
3k
views
DMARC strict vs relaxed alignment?
I've been configuring DNS records for a mail server and got stuck when it came to DMARC's alignments.
I know that both relaxed and strict are valid options, as well as relaxed being default setting. ...
5
votes
1
answer
14k
views
Improve Spam Confidence Level (SCL) for outgoing emails
I have a postfix SMTP server on Ubuntu. I have valid SPF and DKIM records, as verified by the email header my customer received.
Authentication-Results: spf=pass (sender IP is XXX.XXX.XXX.XXX)
...
5
votes
1
answer
2k
views
NOT receiving DMARC reports from AOL / HOTMAIL / MSN / OUTLOOK / LIVE
My DMARC DNS record looks like this: (domain name is redacted)
_dmarc.domain.com TXT "v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; rf=afrf;
pct=100; ri=...
4
votes
2
answers
3k
views
How can you tell the difference between rua and ruf DMARC reports?
I have a client that's receiving DMARC reports from various providers however the reports indicate that all checks 'PASS' and all DMARC/DKIM/SPF checking tools indicate the DMARC records are fine. ...
4
votes
2
answers
3k
views
Only enable SRS when forwarding to enable DMARC
I am setting up a mail server on my VPS and in order to prevent spam and being marked as spam I have enabled SPF, DKIM and DMARC. However, I do not want to host my own mailbox, so I forward the ...
4
votes
1
answer
2k
views
correct order for Postfix milters
I use the following milters with Postfix:
ClamAV, OpenDKIM, OpenDMARC, Rspamd
This is also the order they are being called via smtpd_milters.
What would be the best order for them regarding ...
4
votes
1
answer
3k
views
DMARC 'sampled out' policy override effect in GMail server
Anyone know what actually a sampled out override reason mean in DMARC aggregated daily reports? I only get those from GMail and recently I've got some complains of undelivered messages from recipients ...
4
votes
1
answer
2k
views
How to prevent emails from my domain through mailing lists to be rejected due to DMARC
I operate my own mail server at speedofsoundgaming.com and mwtd.net. I recently added a DMARC record to my domain to help prevent spam, and once seeing that things seemed to be working, upped the ...
4
votes
1
answer
2k
views
DMARC failing on Mailgun when forwarding occurs
We recently increased to a quarantine policy and are thinking of going to reject - but we stumbled across an issue we can't seem to identify a root cause for. Specifically, forwarded e-mails appear to ...
4
votes
1
answer
279
views
How to recover domain name from previous bad SPF record?
TL;DR: We had SPF too permissive (+all) and spammers used this to send tons of spam "from" our domain. We restricted that to ~all and added DMARC (not DKIM though), now other providers do not trust ...
4
votes
1
answer
6k
views
DMARC is blocking email that seems like it should be allowed
This is the DMARC record we have set
v=DMARC1; p=reject; rua=mailto:[redacted]@coinbase.com; adkim=r; aspf=s
So we are rejecting any not match with SPF strictly, and DKIM is relaxed.
Here is the ...
3
votes
4
answers
413
views
Why use DMARC when SPF -all can do the job?
With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?
Same goes for quarantine and a softfail ~all.
Beside the reporting where is the benefit ...
3
votes
2
answers
6k
views
SPF and DKIM help: Do the FAIL reports from DMARC indicate an issue?
I am having trouble determining if my SPF and DKIM are configured properly. Here are key details:
My domain is mysteryscience.com
We send mail from google apps, from SendGrid, and from Intercom. All ...
3
votes
1
answer
533
views
How to get SPF alignment to pass DMARC for a subdomain?
I have the following DNS configuration:
$ dig +noall +answer -t txt example.com
example.com. 626 IN TXT "v=spf1 +a +mx include:sendgrid.net include:_spf.google.com -all"
$ dig +noall +...
3
votes
1
answer
294
views
When using a subdomain with DMARC configured to send RUA, is it necessary to add DMARC reports TXT record?
If I send an email from [email protected] with [email protected] in the DMARC record of subdomain.example.com, is it necessary to create a DMARC reports TXT record (e.g., subdomain....