0

I recently helped a friend implement DMARC/DKIM/SPF and got a report that makes no sense to me.

Their domain is hosted on SquareSpace, they use Google Apps for email, and Mailchimp for mailing lists. All of that stuff is configured correctly and is working well.

The oddity (to me) is as follows:

  1. They received a DMARC report from AmazonSES ; this does not make sense to me as they don't have anything that sends through AmazonSES and I don't believe you can send TO an Amazon SES recipient. How can this happen?

  2. The DMARC report noted DKIM passing for both their domain (so the Google Apps integration is correct) but also {UNRELATED_DOMAIN}.onmicrosoft.com. The source IPs are all Microsoft servers. This makes no sense to me, as they don't knowingly use Microsoft. I also don't understand how a message could have a valid DKIM signature from both Google and Microsoft. I guess it is possible that Microsoft was somehow relaying a valid message that originated on Google, but I can't figure out how or why.

Any suggestions on helping me figure this out would be greatly appreciated. Thank you.

1
  • Please post the DMARC TXT record.
    – Paul
    Commented Jun 11 at 3:50

1 Answer 1

1

For the AmazonSES question. That just indicates that the report comes from / is generated by AmazonSES, not that the email that caused it was sent there specifically. Eg it’s telling you the system that generated the report, not the domain that received the email. You’ll find that all DMARC reports relating to email that arrive on Amazon’s servers come from AmazonSES, including for instance if the recipient has their own domain, and hosts on Amazon AWS.

Or put another way, the sources of DMARC reports aren't the mail servers you / your friend use to send emails, they're the mail servers that receive emails reporting as coming from your domain, either hopefully confirming that the emails sent from the legitimate servers were accepted, or that the spam messages pretending to be from your domain but obviously originating from different servers have been rejected/quarantined/none, depending on how you've configured DMARC.

For the second question it’s hard to judge without the report itself, but are you saying it’s telling you an email came from two sources? As Paul mentioned, it’d be easier to judge and accurately help if you include the actual report details you’re referring to.

1
  • "including for instance if the recipient has their own domain, and hosts on Amazon AWS" Awesome. That makes sense now - but is misleading! I kept thinking "How does AmazonSES RECEIVE email?!?!." I would share the headers and domain if it were my own - but my friends are a little eccentric. What I can share, is the AmazonSES report had a source ip at MSFT (40.95.32.6) and a DKIM PASS for both {UNKNOWN}.onmicrosoft.com AND their own domain. Thanks for the explanation. Commented Jun 13 at 18:32

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .