Questions tagged [dmarc]
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism by which the owner of a domain uses specially formed DNS records to express domain-level policies and preferences for email validation, disposition, and reporting.
253
questions
2
votes
3
answers
3k
views
AWS SES requirements on custom MAIL FROM domain
According to the docs, AWS SES has some requirements on what is an allowable MAIL FROM domain:
The subdomain you use for your MAIL FROM domain has to meet the following requirements:
The MAIL FROM ...
2
votes
1
answer
957
views
DKIM Key Rotation Best Practices
Do you find it necessary to regenerate your DKIM keys every 1-6 months to avoid your mail going into the receiving servers' junk mail folder?
Some guides recommend this, some even say it's "Best ...
0
votes
1
answer
109
views
How does Dmarc alignment protect against anything?
I am specifically referring to Dmarc SPF alignment.
To get a Dmarc pass result, all it takes is that either SPF or DKIM aligns.
Let us say that I am an attacker, and try to impersonate abc.com.
I have ...
0
votes
2
answers
411
views
Some clear instructions on writing the DMARC record
I have been under some pressure to produce the DMARC record for one of our customers. Unfortunately, they do not give me access to the domain vendor and instead repeatedly ask "What should they ...
-2
votes
1
answer
801
views
My OpenDMARC is rejecting emails from firefox.com . Is their SPF record correct? Or am I wrong?
Why is opendmarc rejecting mail from firefox.com? It looks like their SPF record matches their sending address and does pass:
v=spf1 mx a include:amazonses.com include:mail.zendesk.com -all
/var/log/...
1
vote
1
answer
3k
views
emails to Yahoo are ending up in SPAM folder despite spf=pass, dkim=pass and dmarc=pass
Are we possibility having a reputation problems with Yahoo emails?
Yahoo raw mail header finds my policy I published: dmarc=success(p=REJECT,sp=REJECT)
Emails to clients at Google and Outlook are not ...
5
votes
1
answer
7k
views
Is it a DMARC failure if disposition=none & dkim=fail?
When I get one of these DMARC reports from Google is it because there is a problem? Or is it standard protocol. I am curious because I sent one test email and got this DMARC report to abuse@...
1
vote
1
answer
809
views
Why is opendmarc SPF failing this arriving message?
Why is this incoming message failing?
postfix/smtpd[4776]: connect from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73]
postfix/smtpd[4776]: Anonymous TLS connection established ...
0
votes
1
answer
137
views
VERP: rewrite from header of NDR?
We provide cmail delivery for external clients from several different domains.
We rewrite the envelope sender (AKA: "SMTP MAIL FROM","Return-Path" ) using a form of VERP. Thus we ...
2
votes
1
answer
1k
views
Is SPF alignment important with DMARC?
When setting up a DMARC policy for an organization, is it important at all to have SPF alignment?
I've gathered that:
Most email service providers support DKIM for a custom domain.
Not all email ...
1
vote
1
answer
740
views
Postfix send mail only to GMail, all other domains are deferred and not sended
My Postfix server is running on Debian Stretch. It is able to send emails to a GMail address without problems which are not considered as spam. At the DNS level I configured DKIM, SPF and DMARC and ...
0
votes
1
answer
218
views
Can I DKIM sign my email without running a server daemon just for that?
I have an email server that is working perfectly.
However, more and more other email servers are getting strict about DKIM signing and DMARC records so I guess I need to finally set that up ...
I am ...
1
vote
1
answer
504
views
How to resolve "signing key too small" issue from mail-tester
We've recently been having some email delivery issues, so I find myself taking my first dive into the email server set-up world to make sure our emails are arriving as expected.
I ran mail-tester a ...
1
vote
4
answers
2k
views
Using SPF and DMARC records to combat invalid email subdomains
I have been able to confirm that bad actors are sending emails from nonexistent subdomains of my company's primary domain.
Let's say my primary domain is foo.com. Email is sent from that base ...
1
vote
1
answer
1k
views
Can I set dmarc to tell receiver to fail if no DKIM signature provided in email?
I set SPF, DKIM and DMARC for my email server. I build my own mail server on my personal computer.
Then I disable signing DKIM signature and send an email to Gmail. Gmail shows SPF pass and DMARC ...
2
votes
1
answer
258
views
what is the appropriate DMARC configuration for a domain that should fail hard on DKIM but soft on SPF
Messages sent by my domain will always be DKIM-signed and any that are not should be immediately discarded by recipients. But strict SPF enforcement leads to problems where internal mail-forwarding ...
0
votes
1
answer
183
views
SPF- and DKIM- align fails on a few emails from a larger batch
We are sending large numbers of emails (hundreds of thousands) mostly for our clients. Of course, we have configures SPF, DKIM, and DMARC records properly for all domains who use us. We pass all tests ...
2
votes
2
answers
6k
views
How do I whitelist another sender (e.g. Sendgrid) for DMARC?
We host our own e-mail but use Sendgrid to send mail on behalf of a few internal PHP services that can't easily handle our mail configuration (e.g. they disallow self-signed certs by default, so ...
5
votes
1
answer
3k
views
DMARC strict vs relaxed alignment?
I've been configuring DNS records for a mail server and got stuck when it came to DMARC's alignments.
I know that both relaxed and strict are valid options, as well as relaxed being default setting. ...
1
vote
1
answer
1k
views
dmarc is failing for alias domain hosted in AWS’s DNS-Route 53
We have a problem with _dmarc record for our alias domain.
We use AWS’s DNS-Route 53 and Google Apps.
When sending an email from the primary domain, _dmarc passes validation. But when sending from the ...
0
votes
1
answer
57
views
GSuite displaying "via" next to name after DNS change
After changing over to Cloudflare GSuite has been adding "via" next to the names of incoming emails. After a quick Google search I found this:
https://support.google.com/mail/answer/1311182?hl=en
...
-1
votes
1
answer
127
views
Does record domain "include:" also refers to subdomains?
I have a doubt setting up my SPF record. I would like to know if I set up an include record in the SPF record will also be "including" the subdomains of that principal domain that I have included?.
...
2
votes
2
answers
2k
views
Change DMARC Report frequency
My current record look like this:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; ri=604800
Still for some reason, I receive E-Mail from Google ...
1
vote
1
answer
940
views
DMARC Report: Sometimes DKIM Fails for Mail Server IP
What does it mean when some DMARC records indicate a failure for the correct server:
<record>
<row>
<source_ip>1.2.3.4</source_ip>
<count>8</count&...
8
votes
2
answers
14k
views
Email server: Remove rua from DMARC DNS entry or stop receiving DMARC reports
I have the following DNS entry for one of my clients email servers:
_dmarc IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]"
This is the only email server I'm administering, which has a ...
2
votes
3
answers
4k
views
Forwarding to Gmail doesn't work for emails from Microsoft.com due to DMARC, but works for PayPal.com
I've noticed that I'm not getting certain emails in my Gmail and Yandex.Mail that are forwarded via UNIX systems (without SRS — not too sure if Sender Rewriting Scheme is still the best practice? ...
1
vote
2
answers
3k
views
How to set Exim envelope domain to From domain
I've set up DKIM on Exim with the domain set like:
DKIM_DOMAIN = ${sender_address_domain}
However, the domain is always set to the same domain (my primary domain), which causes DMARC validation to ...
0
votes
1
answer
591
views
How did this pass DKIM according to DMARC report?
I recently added a DMARC record for one of my domains. Let's call it mydomain.com:
v=DMARC1;p=none;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1"
I have been ...
0
votes
2
answers
846
views
Further understanding of SPF, DKIM, and DMARC
I've been trying to wrap my head around some of the information I've gathered online, and I was hoping for some clarification.
We are using Office 365, for our email server.
A.) Are SPF records and ...
2
votes
2
answers
8k
views
How to read this DMARC report? Why does Yahoo still reject mails from my server?
I've got hMailServer set up on my server, which bulks-mails a newsletter to an opt-in subscriber base. I have set up DKIM signing, a SPF record explicitly giving my server permission to send email on ...
3
votes
0
answers
229
views
Using DMARC techniques to block Backscatter
We run a small email (receiving not bulk sending) service (~ 300 domains or so) for our customers and are just starting to introduce DMARC. One of the reasons for doing so is to help stop backscatter ...
1
vote
1
answer
977
views
Gsuite DMARC SPF Setup Failure
I'm using Gsuite with our own domain name "audacy.space". I've setup DMARC, DKIM and SPF, and both DMARC Analyzer and Google's Mx Tool report no problems for the domain. However, our weekly DMARC ...
0
votes
2
answers
919
views
Emails fail DMARC check despite having the sender IP in SPF
I have the following DMARC record set up:
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; fo=0:1:d:s
I have the following SPF record set up:
v=spf1 mx -all
the ...
0
votes
1
answer
665
views
dmarc. Why do I receive failed SPF or DKIM authentication reports for forwarders?
I set _dmarc to see my email authentication reports (in case it fails).
like that
"v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected]"
And I receive these reports form Google.
a ...
1
vote
2
answers
1k
views
SPF authentication mixed pass/fail without SPF record, in DMARC report [duplicate]
I have attached a DMARC report for my domain (this one sent from google). It correctly shows only mail sent from my mta (amazon ses) as passing the DMARC compliance. And the DKIM portion also shows ...
0
votes
0
answers
325
views
Mail issues only with Google App domains
I have a local mail server set up. It is connected via a dedicated IP (with an appropriate PTR record). I have DKIM, DMARC, and SPF set up.
My domain has been added to Google's Postmaster Tools and ...
1
vote
1
answer
145
views
Is it possible to configure DMARC to only receive reports for main domain and not sub domains?
The question is pretty much in the title.
I have a domain, which has a subdomain with it's own DMARC record. The subdomain marketing.xxx.com is managed by a third-party and they handle the DMARC ...
8
votes
2
answers
3k
views
DMARC test failed but we didn't find any obvious reason why; DMARC not passing while SPF and DKIM do
About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am ...
1
vote
1
answer
271
views
How to install opendmarc on Debian Wheezy
How can I install opendmarc on Debian Wheezy?
I have tried:
~ $ echo 'deb http://ftp.debian.org/debian wheezy-backports main contrib' >> /etc/apt/sources.list
~ $ apt-get update
~ $ apt-get ...
1
vote
1
answer
4k
views
Whats the purpose of getting daily DMARC reports from google about my Mail Server?
I've been getting DMARC reports from google everyday after setting this up on my domain to prevent domain spoofing. Do I really need to have this daily report? I've never opened the attached zip file ...
2
votes
1
answer
1k
views
OpenDMARC with multiple MX: correct setup for trust between servers
There are many tutorials on how to setup OpenDMARC on your favorite flavor of Linux, but they all focus on single server configurations. My goal was to keep backup secondary MX servers, but enforce ...
2
votes
2
answers
3k
views
Why am I only receiving DMARC aggregate reports from Google?
I have configured SPF, DKIM, and DMARC for a couple of domains that use G Suite as an email/office suite provider. Everything is looking great so far, except for some reason Google is the only ...
3
votes
4
answers
413
views
Why use DMARC when SPF -all can do the job?
With DMARC I can set the policy to rejct mail.
But isn’t it the same I can do with -all from within a SPF?
Same goes for quarantine and a softfail ~all.
Beside the reporting where is the benefit ...
-1
votes
1
answer
327
views
I have set the DKIM record but my emails is not signed?
I have set the DKIM record on my DNS server provider (Cloudflare) and i tested it using different online tools which all says that my dkim record is valid but all my messages i sent dont have DKIm ...
2
votes
1
answer
381
views
DMARC <policy_evaluated> SPF fails when using PostSRSD
I am running a mailserver under example.com that serves emails for a couple of domains. As my server does not have a mailbox, all the emails it receives are forwarded to particular Gmail accounts. To ...
8
votes
1
answer
5k
views
Not receiving any RUF DMARC reports (forensic) but are getting RUA (agg reports)
For about 5 days now, i have been successfully receiving several DMARC RUA (aggregate reports) reports from a few ISPs, however i have yet to receive a single RUF message/forensic email, even though ...
2
votes
1
answer
2k
views
DMARC Failing cant figure out why
When sending a message from salesforce.com through my companies domain surgishop.com I am getting a DMARC fail. I believe I have SPF and DKIM correctely configured but could use some help on figureing ...
1
vote
1
answer
2k
views
Does an SPF SoftFail trigger DMARC reject
I've googled around and even tried to find the answer in the RFC to this one.
For this question, let's assume DKIM will always fail and leave it out of the picture.
If the DMARC policy is p=reject ...
2
votes
2
answers
360
views
SPF and DMARC - is spf policy used?
I understand how SPF is involved with DMARC alignment, but one thing I can't get clear: is the SPF policy (-all or ~all) used in DMARC? Or does DMARC merely use the IP ranges?
The issue is, that as ...
1
vote
0
answers
2k
views
What is wrong with this e-mail which is failing SPF(mailfrom) and DMARC?
This is a follow-up from "Why is my opendmarc failing pretty much everything that comes through?". I'm really struggling to understand what is going on.
Outgoing mail is verified correctly by the ...