Questions tagged [dmarc]
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism by which the owner of a domain uses specially formed DNS records to express domain-level policies and preferences for email validation, disposition, and reporting.
253
questions
12
votes
4
answers
8k
views
Why is my opendmarc failing pretty much everything that comes through?
I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:
example.com. 600 IN MX ...
1
vote
1
answer
2k
views
Can I bypass SPF restrictions by using an SMTP envelope FROM with another domain that has either no SPF record or an invalid one
Consider DMARC record:
v=DMARC1;p=reject;rua=mailto:xyz;ruf=mailto:xyz;adkim=s;aspf=s;pct=100;fo=1;sp=reject
Also consider domain example.com with a TXT record:
v=spf1 include:_spf.google.com -...
1
vote
1
answer
3k
views
Can one bypass DMARC policy DKIM requirements simply by not using DKIM or by using an SMTP envelope with a valid DKIM for the envelope from domain
Am I right to say that DMARC has no way to say "all emails must be signed". My understanding here is that I can specify that I want DKIM to be either lax or strict - which I understand to mean that, ...
4
votes
1
answer
2k
views
DMARC failing on Mailgun when forwarding occurs
We recently increased to a quarantine policy and are thinking of going to reject - but we stumbled across an issue we can't seem to identify a root cause for. Specifically, forwarded e-mails appear to ...
2
votes
1
answer
3k
views
Postfix: Managing Subdomain DMARC, DKIM, and SPF when bounce emails come from the null sender "<>"
I have several postfix servers that send mail on behalf of my domain (example.com). When a from address is provided, DKIM and SPF pass properly. However, I noticed in my DMARC notifications there are ...
2
votes
2
answers
3k
views
Shouldn't Gmail fail this message using DMARC due to bad alignment?
I had a test run against our mail server to see if the From header could be spoofed, which I expected to fail. We have SPF, DKIM, and DMARC all set up correctly, as far as I can tell. However, the ...
1
vote
1
answer
2k
views
using _report._dmarc. records with sub.domains
I have a sub.domain sending emails.
From: [email protected]
I have set up the following DMARC record.
_DMARC.sub.example.com TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=...
1
vote
2
answers
309
views
Web-generated emails not compliant with DMARC
We have a classified ads website. Buyers can contact sellers. The message is directly generated on the site (php7) and sent to the user by email.
If we follow the recommandations from openspf, we ...
1
vote
1
answer
308
views
Seemingly valid SRS-processed message is being rejected by gmail servers
I have a virtual private server with its own IP and have configured SPF, DKIM, DMARC, SRS (with postsrsd) and all that jazz. Let's call it domainut.com.
Most things are working, mail is being ...
4
votes
1
answer
279
views
How to recover domain name from previous bad SPF record?
TL;DR: We had SPF too permissive (+all) and spammers used this to send tons of spam "from" our domain. We restricted that to ~all and added DMARC (not DKIM though), now other providers do not trust ...
2
votes
2
answers
565
views
Setup DKIM record without server signing
I'm using on one of my domains as hosting provider 101domain.
I know that they don't have a good reputation, but since I have two sites to manage and one of them has multiple ccTLDS domains I wanted ...
10
votes
2
answers
6k
views
DMARC and DKIM alignment with multiple DKIM signatures
If an email contains multiple DKIM signatures as it's forwarded, how does DMARC process the DKIM alignment check?
Does ANY passing DKIM signature d= parameter have to match Header From?
or
Does the ...
2
votes
1
answer
2k
views
Why is OpenDMARC using my (the recipients) configuration for incoming mail?
Recently I've had some incoming emails be rejected by my mail server for failing DMARC checks. Upon closer inspection I noticed that the logs mentioned that the rejection was because OpenDMARC was ...
2
votes
1
answer
2k
views
DMARC fails on forwarded mails without DKIM
I am running a mail server (postfix) on a VPS that is set up to forward all mail sent to an address in my private domain to a GMail address. SPF, SRS, DKIM, and DMARC are set up for my mail server and ...
0
votes
0
answers
1k
views
DMARC permission to receive all reports on an external subdomain
I'd like to set up a DMARC record so that I can receive reports on an external subdomain. To be specific, I have a domain called send.com which sends emails and is monitored by DMARC. The aggregate ...
0
votes
1
answer
3k
views
Mail tester have 10 score, but email flagged as spam, by gmail
I have setup an smtp postfix server, with opendkim, on a domain code-gmail.com
I have put spf policy, dkim, dmarc in my domain TXT recors. I did setup reverse dns, to point correctly do my domain, i ...
1
vote
0
answers
2k
views
SPF softfail on gmail
I'm trying to setup my own smtp server with postfix and opendkim. I have publsished spf/dmarc/dkim recors, set up ptr. But currently, all my mail with any text goes into gmail spam folder. I have ...
1
vote
1
answer
198
views
How to setup SPF and DMARC for satellite hosts?
If I send mail directly from relay host - everything works like a charm. All checks are passed.
Delivered-To: [email protected]
Received: by 10.100.182.171 with SMTP id t40csp2626933pjb;
Thu, 26 ...
2
votes
3
answers
5k
views
DMARC record not found
I'm trying to set up DKIM, SPF and DMARC on my mail server. Although DKIM and SPF work fine (as reported by [email protected]) i can't seem to get DMARC to work.
Both mxtoolbox.com and ...
0
votes
1
answer
296
views
No protection for gmail spoofing?
Somebody can verify that gmail's SPF and DMARC records are:
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
"v=DMARC1; p=none; ...
0
votes
1
answer
79
views
Business email alias hijacked
One of the clients I work for has a [email protected] account. I believe it's an alias, and I got an email signing up for a random site (it's a legit site) presumably to test that someone had access to it....
2
votes
1
answer
1k
views
Checking DMARC Non-compliance, 4 Examples
We have set up DMARC and have been getting reports (policy is still set as "none"). I loaded them up in the DMARC XML-to-Human Converter (dmarcian.com) and most look great and 100% compliance. But we ...
0
votes
1
answer
3k
views
Bounced Incoming E-Mail in Gmail because of failed DMARC verification
gmail-smtp-in.l.google.com[2a00:1450:400c:c09::1a] said: 550-5.7.1
Unauthenticated email from example.com is not accepted due to 550-5.7.1
domain's DMARC policy. Please contact the administrator of ...
1
vote
0
answers
992
views
mail ends in google spam folder while SPF pass, DKIM pass, DMARC pass
I am trying to send basic mail to a gmail user test and the mail ends up in the spam folder. I don't really understand why. I used to send through ubuntu sendmail, spent a lot of time setting up ...
6
votes
1
answer
3k
views
Is GMAIL incorrectly failing SPF?
0365 mail users are encouraged to use include:spf.protection.outlook.com -all in their SPF record.
I have followed this guidance. My company's spf record says:
v=spf1 include:spf.protection.outlook....
1
vote
1
answer
503
views
DMARC report: SPF fails with mx-domain as spf-domain in auth_result
I have setup a mail server with several postoffices/domains. DKIM, SPF and DMARC are setup for every domain. For the mailserver domain, which is a postoffice as well, I get weird DMARC reports, where ...
3
votes
1
answer
1k
views
SPF and DKIM pass, but DMARC fails for source_ip
I have configured our DMARC policy to quarantine and our domain SPF and DKIM are configured appropriately. The SPF record is as follows:
v=spf1 +a +mx +include:sendgrid.net -all
However this is the ...
3
votes
1
answer
1k
views
Postfix setup with different domain name, reverse lookup and SPF
I would like to set up Postfix properly to serve multiple virtual domains while complying to all standards and being able to enable security measures like SPF.
The server has the hostname server....
0
votes
2
answers
957
views
After adding authentication to mail server, can't connect for SMTP
Up to yesterday, my mail server (at mail.simunomics.com) was functioning properly with regards to my mail clients - sending and receiving. However, it was not authenticating properly with recipient ...
0
votes
1
answer
6k
views
Why my DMARC are not giving permission for reports?
In all servers I have a DMARC record for sernd email in ahother domain in my WHM , but when test with mxtoolbox show this error : 'DMARC are not giving permission for your reports' this is the ...
5
votes
1
answer
2k
views
NOT receiving DMARC reports from AOL / HOTMAIL / MSN / OUTLOOK / LIVE
My DMARC DNS record looks like this: (domain name is redacted)
_dmarc.domain.com TXT "v=DMARC1; p=none; sp=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; rf=afrf;
pct=100; ri=...
2
votes
1
answer
955
views
SPF,DKIM Failure and outcome
I have been doing a lot of reading around SPF, DKIM and DMARC and i think i have digested most of the information and how all three work in the email world. However one question i couldn't find is, ...
1
vote
1
answer
3k
views
Opendmarc connection refused for milter
Debian stretch.
Postfix + dkim + dmarc.
Opendmarc is not working. I'm getting:
Nov 26 10:36:07 mail postfix/smtpd[30012]: warning: connect to Milter service inet:localhost:8893: Connection ...
1
vote
1
answer
529
views
Where ARC public key is stored?
Where ARC public key is stored? For DKIM it is [selector]._domainkey.example.org. But for ARC? Is it the same as DKIM and holds in TXT query for domain mentioned above?
Thank you.
0
votes
1
answer
82
views
DMARC un-aligned, by business necessity?
I'm new to DMARC so this may be a silly question (sorry if it is):
Base facts: My company has a primary name and many other "doing business as" (DBA from here on) partnerships. However each of these ...
2
votes
1
answer
838
views
Disable DKIM in exim for mailing lists
I am subscribed to a number of mailing lists that don't remove my DKIM signature but mutate messages (change From) and add their own DKIM. Resulting messages have 2 DKIM signatures, one failing and ...
1
vote
1
answer
2k
views
DMARC and RFC2298 compliant MDNs with a null MailFrom... Can it work?
This is an issue we're seeing with Exchange Online but it would be an issue with most hosted email I suspect. When Office 365 / Exchange Online sends an automatic reply (Out of Office for example) it ...
10
votes
2
answers
4k
views
DMARC reporting unexpected SPF IP but DKIM still passes
I have both SPF and DKIM enabled on my domain. This domain is for a small company and we only have the one server (hMailServer if anyone thinks it's relevant).
Recently I decided to enabled DMARC ...
2
votes
1
answer
271
views
Does bad domain reputation damage IP reputation?
Recently our mail server's reputation has been down rated by Hotmail, according to postmaster/live SNDS-service (from green to yellow and a single day in red). Therefore, me and my colleagues are now ...
-1
votes
2
answers
2k
views
DKIM and DMARC configuration
Guys i have some questions regarding DKIM and DMARC configurations. I tried finding the answers but it is not clear.
1) Does it involve DNS server configuration only or there is additional ...
6
votes
7
answers
4k
views
What format are DMARC dates?
I have a DMARC report that includes:
<date_range>
<begin>1500249600</begin>
<end>1500335999</end>
</date_range>
How do I convert the dates to something human?
3
votes
1
answer
389
views
How do I respond to DMARC Forensic Reports
I have just received a DMARC forensic report from Hotmail/Microsoft. My SPF policy seems to have successfully blocked the offending email. I have also blocked the offending IP using IPTables (just in ...
1
vote
1
answer
1k
views
DKIM for "From" domain or MX domain?
My server is handling mail for several virtual users and domains. The SPF records of the domains state that only the MX server is allowed to send mail (v=spf1 mx -all) and this MX server is a generic ...
0
votes
1
answer
299
views
DMARC report. A server sending mail/impersonating my domain?
I've recently set up DMARC, SPF and DKIM. I'm now checking all DMARC reports I'm receiving.
I've noticed the below entry which looks like an IP which is outside my control (the other IPs mentioned I ...
2
votes
1
answer
688
views
How to improve DMARC Compliance?
I've been monitoring our DMARC compliance with policy "p=none" for a month or two using both dmarcian and dmarcanalyzer. I've noticed that when we send a large email marketing campaign (10k+ emails), ...
0
votes
2
answers
598
views
DNS record check requested (spf, dkim, dmarc)
Is below correctly setup? I have 1 A record mydomain.com pointing to an ip address. I have a subdomain called www.mydomain.com that also has the PTR record for the ip address (because i'm also going ...
5
votes
2
answers
17k
views
how to configuration dkim on exchange email server
Mails sent from our internal email server to public servers such as Gmail, Yahoo and all other external organizations are delivering to spam. We currently use exchange server, in order to tackle above ...
1
vote
1
answer
357
views
What does a failed SPF record tell me from a DMARC Aggregate report?
I have been trying to find a straightforward answer to this, but I have been having no luck. I also tried asking on the security focused Stackexchange site, but had no luck there is well. I am hoping ...
0
votes
1
answer
65
views
How do email domains of From and Email Authentications (SPF, DKIM, etc) get compared by an email client?
Most of email clients shows "on behalf", "via" suffixes next to "From" email address if its domain differs from domains of Email Authentications ("Return-Path" email's domain for SPF, "d=" key value ...
0
votes
1
answer
2k
views
How to use Cloudflare CNAME to have a unified DMARC policy?
According to DMARC FAQ it's possible to have a single policy for multiple domains, and that all tools refer to this main policy:
How can I put DMARC records on many domains at once?
Some ...