Skip to main content

Questions tagged [dmarc]

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism by which the owner of a domain uses specially formed DNS records to express domain-level policies and preferences for email validation, disposition, and reporting.

Filter by
Sorted by
Tagged with
2 votes
3 answers
3k views

AWS SES requirements on custom MAIL FROM domain

According to the docs, AWS SES has some requirements on what is an allowable MAIL FROM domain: The subdomain you use for your MAIL FROM domain has to meet the following requirements: The MAIL FROM ...
user2959071's user avatar
2 votes
1 answer
957 views

DKIM Key Rotation Best Practices

Do you find it necessary to regenerate your DKIM keys every 1-6 months to avoid your mail going into the receiving servers' junk mail folder? Some guides recommend this, some even say it's "Best ...
Jeff's user avatar
  • 1,436
0 votes
1 answer
109 views

How does Dmarc alignment protect against anything?

I am specifically referring to Dmarc SPF alignment. To get a Dmarc pass result, all it takes is that either SPF or DKIM aligns. Let us say that I am an attacker, and try to impersonate abc.com. I have ...
pHeoz's user avatar
  • 163
0 votes
2 answers
411 views

Some clear instructions on writing the DMARC record

I have been under some pressure to produce the DMARC record for one of our customers. Unfortunately, they do not give me access to the domain vendor and instead repeatedly ask "What should they ...
Disasterkid's user avatar
-2 votes
1 answer
801 views

My OpenDMARC is rejecting emails from firefox.com . Is their SPF record correct? Or am I wrong?

Why is opendmarc rejecting mail from firefox.com? It looks like their SPF record matches their sending address and does pass: v=spf1 mx a include:amazonses.com include:mail.zendesk.com -all /var/log/...
Andrew's user avatar
  • 145
1 vote
1 answer
3k views

emails to Yahoo are ending up in SPAM folder despite spf=pass, dkim=pass and dmarc=pass

Are we possibility having a reputation problems with Yahoo emails? Yahoo raw mail header finds my policy I published: dmarc=success(p=REJECT,sp=REJECT) Emails to clients at Google and Outlook are not ...
MeSo2's user avatar
  • 274
5 votes
1 answer
7k views

Is it a DMARC failure if disposition=none & dkim=fail?

When I get one of these DMARC reports from Google is it because there is a problem? Or is it standard protocol. I am curious because I sent one test email and got this DMARC report to abuse@...
mister mcdoogle's user avatar
1 vote
1 answer
809 views

Why is opendmarc SPF failing this arriving message?

Why is this incoming message failing? postfix/smtpd[4776]: connect from mail-mw2nam10on2073.outbound.protection.outlook.com[40.107.94.73] postfix/smtpd[4776]: Anonymous TLS connection established ...
Andrew's user avatar
  • 145
0 votes
1 answer
137 views

VERP: rewrite from header of NDR?

We provide cmail delivery for external clients from several different domains. We rewrite the envelope sender (AKA: "SMTP MAIL FROM","Return-Path" ) using a form of VERP. Thus we ...
Jasen's user avatar
  • 946
2 votes
1 answer
1k views

Is SPF alignment important with DMARC?

When setting up a DMARC policy for an organization, is it important at all to have SPF alignment? I've gathered that: Most email service providers support DKIM for a custom domain. Not all email ...
Ralf's user avatar
  • 179
1 vote
1 answer
740 views

Postfix send mail only to GMail, all other domains are deferred and not sended

My Postfix server is running on Debian Stretch. It is able to send emails to a GMail address without problems which are not considered as spam. At the DNS level I configured DKIM, SPF and DMARC and ...
Zetam's user avatar
  • 11
0 votes
1 answer
218 views

Can I DKIM sign my email without running a server daemon just for that?

I have an email server that is working perfectly. However, more and more other email servers are getting strict about DKIM signing and DMARC records so I guess I need to finally set that up ... I am ...
user227963's user avatar
1 vote
1 answer
504 views

How to resolve "signing key too small" issue from mail-tester

We've recently been having some email delivery issues, so I find myself taking my first dive into the email server set-up world to make sure our emails are arriving as expected. I ran mail-tester a ...
Vincent's user avatar
  • 111
1 vote
4 answers
2k views

Using SPF and DMARC records to combat invalid email subdomains

I have been able to confirm that bad actors are sending emails from nonexistent subdomains of my company's primary domain. Let's say my primary domain is foo.com. Email is sent from that base ...
CaptainZack's user avatar
1 vote
1 answer
1k views

Can I set dmarc to tell receiver to fail if no DKIM signature provided in email?

I set SPF, DKIM and DMARC for my email server. I build my own mail server on my personal computer. Then I disable signing DKIM signature and send an email to Gmail. Gmail shows SPF pass and DMARC ...
Rick's user avatar
  • 349
2 votes
1 answer
258 views

what is the appropriate DMARC configuration for a domain that should fail hard on DKIM but soft on SPF

Messages sent by my domain will always be DKIM-signed and any that are not should be immediately discarded by recipients. But strict SPF enforcement leads to problems where internal mail-forwarding ...
Glyph's user avatar
  • 251
0 votes
1 answer
183 views

SPF- and DKIM- align fails on a few emails from a larger batch

We are sending large numbers of emails (hundreds of thousands) mostly for our clients. Of course, we have configures SPF, DKIM, and DMARC records properly for all domains who use us. We pass all tests ...
TomS's user avatar
  • 181
2 votes
2 answers
6k views

How do I whitelist another sender (e.g. Sendgrid) for DMARC?

We host our own e-mail but use Sendgrid to send mail on behalf of a few internal PHP services that can't easily handle our mail configuration (e.g. they disallow self-signed certs by default, so ...
Will Matheson's user avatar
5 votes
1 answer
3k views

DMARC strict vs relaxed alignment?

I've been configuring DNS records for a mail server and got stuck when it came to DMARC's alignments. I know that both relaxed and strict are valid options, as well as relaxed being default setting. ...
user avatar
1 vote
1 answer
1k views

dmarc is failing for alias domain hosted in AWS’s DNS-Route 53

We have a problem with _dmarc record for our alias domain. We use AWS’s DNS-Route 53 and Google Apps. When sending an email from the primary domain, _dmarc passes validation. But when sending from the ...
Caroline Oliva's user avatar
0 votes
1 answer
57 views

GSuite displaying "via" next to name after DNS change

After changing over to Cloudflare GSuite has been adding "via" next to the names of incoming emails. After a quick Google search I found this: https://support.google.com/mail/answer/1311182?hl=en ...
Tony's user avatar
  • 1
-1 votes
1 answer
127 views

Does record domain "include:" also refers to subdomains?

I have a doubt setting up my SPF record. I would like to know if I set up an include record in the SPF record will also be "including" the subdomains of that principal domain that I have included?. ...
Santiago's user avatar
2 votes
2 answers
2k views

Change DMARC Report frequency

My current record look like this: v=DMARC1; p=quarantine; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100; ri=604800 Still for some reason, I receive E-Mail from Google ...
user avatar
1 vote
1 answer
940 views

DMARC Report: Sometimes DKIM Fails for Mail Server IP

What does it mean when some DMARC records indicate a failure for the correct server: <record> <row> <source_ip>1.2.3.4</source_ip> <count>8</count&...
Louis Waweru's user avatar
8 votes
2 answers
14k views

Email server: Remove rua from DMARC DNS entry or stop receiving DMARC reports

I have the following DNS entry for one of my clients email servers: _dmarc IN TXT "v=DMARC1; p=none; rua=mailto:[email protected]" This is the only email server I'm administering, which has a ...
manifestor's user avatar
  • 6,469
2 votes
3 answers
4k views

Forwarding to Gmail doesn't work for emails from Microsoft.com due to DMARC, but works for PayPal.com

I've noticed that I'm not getting certain emails in my Gmail and Yandex.Mail that are forwarded via UNIX systems (without SRS — not too sure if Sender Rewriting Scheme is still the best practice? ...
cnst's user avatar
  • 14.4k
1 vote
2 answers
3k views

How to set Exim envelope domain to From domain

I've set up DKIM on Exim with the domain set like: DKIM_DOMAIN = ${sender_address_domain} However, the domain is always set to the same domain (my primary domain), which causes DMARC validation to ...
Sam Bull's user avatar
  • 323
0 votes
1 answer
591 views

How did this pass DKIM according to DMARC report?

I recently added a DMARC record for one of my domains. Let's call it mydomain.com: v=DMARC1;p=none;rua=mailto:[email protected];ruf=mailto:[email protected];fo=1" I have been ...
Mike's user avatar
  • 689
0 votes
2 answers
846 views

Further understanding of SPF, DKIM, and DMARC

I've been trying to wrap my head around some of the information I've gathered online, and I was hoping for some clarification. We are using Office 365, for our email server. A.) Are SPF records and ...
level42's user avatar
  • 209
2 votes
2 answers
8k views

How to read this DMARC report? Why does Yahoo still reject mails from my server?

I've got hMailServer set up on my server, which bulks-mails a newsletter to an opt-in subscriber base. I have set up DKIM signing, a SPF record explicitly giving my server permission to send email on ...
Shaul Behr's user avatar
3 votes
0 answers
229 views

Using DMARC techniques to block Backscatter

We run a small email (receiving not bulk sending) service (~ 300 domains or so) for our customers and are just starting to introduce DMARC. One of the reasons for doing so is to help stop backscatter ...
Rob Lambden's user avatar
1 vote
1 answer
977 views

Gsuite DMARC SPF Setup Failure

I'm using Gsuite with our own domain name "audacy.space". I've setup DMARC, DKIM and SPF, and both DMARC Analyzer and Google's Mx Tool report no problems for the domain. However, our weekly DMARC ...
AudRE's user avatar
  • 11
0 votes
2 answers
919 views

Emails fail DMARC check despite having the sender IP in SPF

I have the following DMARC record set up: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; sp=none; fo=0:1:d:s I have the following SPF record set up: v=spf1 mx -all the ...
SaidAlbahri's user avatar
0 votes
1 answer
665 views

dmarc. Why do I receive failed SPF or DKIM authentication reports for forwarders?

I set _dmarc to see my email authentication reports (in case it fails). like that "v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected]" And I receive these reports form Google. a ...
Yevgeniy Afanasyev's user avatar
1 vote
2 answers
1k views

SPF authentication mixed pass/fail without SPF record, in DMARC report [duplicate]

I have attached a DMARC report for my domain (this one sent from google). It correctly shows only mail sent from my mta (amazon ses) as passing the DMARC compliance. And the DKIM portion also shows ...
TSG's user avatar
  • 1,852
0 votes
0 answers
325 views

Mail issues only with Google App domains

I have a local mail server set up. It is connected via a dedicated IP (with an appropriate PTR record). I have DKIM, DMARC, and SPF set up. My domain has been added to Google's Postmaster Tools and ...
Joseph's user avatar
  • 153
1 vote
1 answer
145 views

Is it possible to configure DMARC to only receive reports for main domain and not sub domains?

The question is pretty much in the title. I have a domain, which has a subdomain with it's own DMARC record. The subdomain marketing.xxx.com is managed by a third-party and they handle the DMARC ...
s1lv3r's user avatar
  • 1,155
8 votes
2 answers
3k views

DMARC test failed but we didn't find any obvious reason why; DMARC not passing while SPF and DKIM do

About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am ...
Vlastimil Burián's user avatar
1 vote
1 answer
271 views

How to install opendmarc on Debian Wheezy

How can I install opendmarc on Debian Wheezy? I have tried: ~ $ echo 'deb http://ftp.debian.org/debian wheezy-backports main contrib' >> /etc/apt/sources.list ~ $ apt-get update ~ $ apt-get ...
takeshin's user avatar
  • 1,491
1 vote
1 answer
4k views

Whats the purpose of getting daily DMARC reports from google about my Mail Server?

I've been getting DMARC reports from google everyday after setting this up on my domain to prevent domain spoofing. Do I really need to have this daily report? I've never opened the attached zip file ...
Patoshi パトシ's user avatar
2 votes
1 answer
1k views

OpenDMARC with multiple MX: correct setup for trust between servers

There are many tutorials on how to setup OpenDMARC on your favorite flavor of Linux, but they all focus on single server configurations. My goal was to keep backup secondary MX servers, but enforce ...
Esa Jokinen's user avatar
  • 50.2k
2 votes
2 answers
3k views

Why am I only receiving DMARC aggregate reports from Google?

I have configured SPF, DKIM, and DMARC for a couple of domains that use G Suite as an email/office suite provider. Everything is looking great so far, except for some reason Google is the only ...
Jeff's user avatar
  • 27
3 votes
4 answers
413 views

Why use DMARC when SPF -all can do the job?

With DMARC I can set the policy to rejct mail. But isn’t it the same I can do with -all from within a SPF? Same goes for quarantine and a softfail ~all. Beside the reporting where is the benefit ...
Gordo2019's user avatar
-1 votes
1 answer
327 views

I have set the DKIM record but my emails is not signed?

I have set the DKIM record on my DNS server provider (Cloudflare) and i tested it using different online tools which all says that my dkim record is valid but all my messages i sent dont have DKIm ...
Islam Mohamed's user avatar
2 votes
1 answer
381 views

DMARC <policy_evaluated> SPF fails when using PostSRSD

I am running a mailserver under example.com that serves emails for a couple of domains. As my server does not have a mailbox, all the emails it receives are forwarded to particular Gmail accounts. To ...
John Doe's user avatar
  • 365
8 votes
1 answer
5k views

Not receiving any RUF DMARC reports (forensic) but are getting RUA (agg reports)

For about 5 days now, i have been successfully receiving several DMARC RUA (aggregate reports) reports from a few ISPs, however i have yet to receive a single RUF message/forensic email, even though ...
James Gaul's user avatar
2 votes
1 answer
2k views

DMARC Failing cant figure out why

When sending a message from salesforce.com through my companies domain surgishop.com I am getting a DMARC fail. I believe I have SPF and DKIM correctely configured but could use some help on figureing ...
AHCB's user avatar
  • 23
1 vote
1 answer
2k views

Does an SPF SoftFail trigger DMARC reject

I've googled around and even tried to find the answer in the RFC to this one. For this question, let's assume DKIM will always fail and leave it out of the picture. If the DMARC policy is p=reject ...
Juicy's user avatar
  • 169
2 votes
2 answers
360 views

SPF and DMARC - is spf policy used?

I understand how SPF is involved with DMARC alignment, but one thing I can't get clear: is the SPF policy (-all or ~all) used in DMARC? Or does DMARC merely use the IP ranges? The issue is, that as ...
Halfgaar's user avatar
  • 8,234
1 vote
0 answers
2k views

What is wrong with this e-mail which is failing SPF(mailfrom) and DMARC?

This is a follow-up from "Why is my opendmarc failing pretty much everything that comes through?". I'm really struggling to understand what is going on. Outgoing mail is verified correctly by the ...
Morpheu5's user avatar
  • 279