3

I work for a small company. We have lot of IP black listed because of spamming. We decided to setup dmarc for our mail server. This has been setup and is working correctly. The issue now is that in the report, few record pass dmarc policy and something it is not easy to Understand why they don't pass. Here is a sample of report.

1   <?xml version="1.0" encoding="UTF-8" ?>
2   <feedback>
3     <report_metadata>
4       <org_name>google.com</org_name>
5       <email>noreply-dmarc-support@google.com</email>
6       <extra_contact_info>https://support.google.com/x/xxxxxx/xxxxxxx</extra_contact_info>
7       <report_id>00000000000000000000</report_id>
8       <date_range>
9         <begin>xxxxxxxxxx</begin>
10        <end>xxxxxxxxxx</end>
11      </date_range>
12    </report_metadata>
13    <policy_published>
14      <domain>mydomain.com</domain>
15      <adkim>r</adkim>
16      <aspf>r</aspf>
17      <p>none</p>
18      <sp>none</sp>
19      <pct>100</pct>
20    </policy_published>
21    <record>
22      <row>
23        <source_ip>xx.x.xxx.xx</source_ip>
24        <count>1</count>
25        <policy_evaluated>
26          <disposition>none</disposition>
27          <dkim>fail</dkim>
28          <spf>fail</spf>
29        </policy_evaluated>
30      </row>
31      <identifiers>
32        <header_from>rrrrr.mydomain.com</header_from>
33      </identifiers>
34      <auth_results>
35        <spf>
36          <domain>xxxx-xxxxxxxx-1.dep.sk</domain>
37          <result>none</result>
38        </spf>
39      </auth_results>
40    </record>
41    <record>
42      <row>
43        <source_ip>xx.xxx.xx.176</source_ip>
44        <count>1</count>
45        <policy_evaluated>
46          <disposition>none</disposition>
47          <dkim>fail</dkim>
48          <spf>fail</spf>
49        </policy_evaluated>
50      </row>
51      <identifiers>
52        <header_from>xxxxx.xxxxxxxxxx.com</header_from>
53      </identifiers>
54      <auth_results>
55        <spf>
56          <domain>xxxxxxxxx.web-bbbbbbb.com</domain>
57          <result>none</result>
58        </spf>
59      </auth_results>
60    </record>
61    <record>
62      <row>
63        <source_ip>xxx.xx.xxx.124</source_ip>
64        <count>2</count>
65        <policy_evaluated>
66          <disposition>none</disposition>
67          <dkim>fail</dkim>
68          <spf>fail</spf>
69        </policy_evaluated>
70      </row>
71      <identifiers>
72        <header_from>xxxxxxxxxxxx.xxxxxxxxxx.com</header_from>
73      </identifiers>
74      <auth_results>
75        <spf>
76          <domain>xxxxxxxxxxxx.xxxxxxxxxxxx.xxxxxxxxxx.com</domain>
77          <result>none</result>
78        </spf>
79      </auth_results>
80    </record>
81    <record>
82      <row>
83        <source_ip>193.100.124.106</source_ip>
84        <count>2</count>
85        <policy_evaluated>
86          <disposition>none</disposition>
87          <dkim>fail</dkim>
88          <spf>fail</spf>
89        </policy_evaluated>
90      </row>
91      <identifiers>
92        <header_from>mydomain.com</header_from>
93      </identifiers>
94      <auth_results>
95        <spf>
96          <domain>relay1.mydomain.com</domain>
97          <result>none</result>
98        </spf>
99      </auth_results>
100   </record>
101   <record>
102     <row>
103       <source_ip>193.100.126.107</source_ip>
104       <count>17</count>
105       <policy_evaluated>
106         <disposition>none</disposition>
107         <dkim>fail</dkim>
108         <spf>pass</spf>
109       </policy_evaluated>
110     </row>
111     <identifiers>
112       <header_from>mydomain.com</header_from>
113     </identifiers>
114     <auth_results>
115       <spf>
116         <domain>mydomain.com</domain>
117         <result>pass</result>
118       </spf>
119     </auth_results>
120   </record>
121   <record>
122     <row>
123       <source_ip>xxx.xx.xxx.69</source_ip>
124       <count>1</count>
125       <policy_evaluated>
126         <disposition>none</disposition>
127         <dkim>fail</dkim>
128         <spf>fail</spf>
129       </policy_evaluated>
130     </row>
131     <identifiers>
132       <header_from>xxxxx.mydomain.com</header_from>
133     </identifiers>
134     <auth_results>
135       <spf>
136         <domain>xxxxxxxxxxxx.google.com</domain>
137         <result>none</result>
138       </spf>
139     </auth_results>
140   </record>
141   <record>
142     <row>
143       <source_ip>193.100.124.53</source_ip>
144       <count>7</count>
145       <policy_evaluated>
146         <disposition>none</disposition>
147         <dkim>fail</dkim>
148         <spf>fail</spf>
149       </policy_evaluated>
150     </row>
151     <identifiers>
152       <header_from>xxxxxxxxxxxxxxx.dmz.mydomain.com</header_from>
153     </identifiers>
154     <auth_results>
155       <spf>
156         <domain>xxxxxxxxxxxxxxx.dmz.mydomain.com</domain>
157         <result>none</result>
158       </spf>
159     </auth_results>
160   </record>
161   <record>
162     <row>
163       <source_ip>193.100.126.32</source_ip>
164       <count>8</count>
165       <policy_evaluated>
166         <disposition>none</disposition>
167         <dkim>fail</dkim>
168         <spf>pass</spf>
169       </policy_evaluated>
170     </row>
171     <identifiers>
172       <header_from>mydomain.com</header_from>
173     </identifiers>
174     <auth_results>
175       <spf>
176         <domain>mydomain.com</domain>
177         <result>pass</result>
178       </spf>
179     </auth_results>
180   </record>
181   <record>
182     <row>
183       <source_ip>193.100.126.32</source_ip>
184       <count>2</count>
185       <policy_evaluated>
186         <disposition>none</disposition>
187         <dkim>fail</dkim>
188         <spf>fail</spf>
189       </policy_evaluated>
190     </row>
191     <identifiers>
192       <header_from>mydomain.com</header_from>
193     </identifiers>
194     <auth_results>
195       <spf>
196         <domain>mail.mydomain1.com</domain>
197         <result>none</result>
198       </spf>
199     </auth_results>
200   </record>
201   <record>
202     <row>
203       <source_ip>xxx.xx.xx.5</source_ip>
204       <count>2</count>
205       <policy_evaluated>
206         <disposition>none</disposition>
207         <dkim>fail</dkim>
208         <spf>fail</spf>
209       </policy_evaluated>
210     </row>
211     <identifiers>
212       <header_from>mydomain.com</header_from>
213     </identifiers>
214     <auth_results>
215       <spf>
216         <domain>xxxxx-red-xxxxxxxxxxxxxxxxxxxxx.jp</domain>
217         <result>none</result>
218       </spf>
219     </auth_results>
220   </record>
221   <record>
222     <row>
223       <source_ip>193.100.126.124</source_ip>
224       <count>1</count>
225       <policy_evaluated>
226         <disposition>none</disposition>
227         <dkim>fail</dkim>
228         <spf>fail</spf>
229       </policy_evaluated>
230     </row>
231     <identifiers>
232       <header_from>mydomain.com</header_from>
233     </identifiers>
234     <auth_results>
235       <spf>
236         <domain>xxxx.com</domain>
237         <result>pass</result>
238       </spf>
239     </auth_results>
240   </record>
241   <record>
242     <row>
243       <source_ip>193.100.126.23</source_ip>
244       <count>6</count>
245       <policy_evaluated>
246         <disposition>none</disposition>
247         <dkim>fail</dkim>
248         <spf>fail</spf>
249       </policy_evaluated>
250     </row>
251     <identifiers>
252       <header_from>xxxxx.mydomain.com</header_from>
253     </identifiers>
254     <auth_results>
255       <spf>
256         <domain>xxxxxxxxxx.xxxxx.mydomain.com</domain>
257         <result>none</result>
258       </spf>
259     </auth_results>
260   </record>
261   <record>
262     <row>
263       <source_ip>xx.xx.xx.108</source_ip>
264       <count>2</count>
265       <policy_evaluated>
266         <disposition>none</disposition>
267         <dkim>fail</dkim>
268         <spf>fail</spf>
269       </policy_evaluated>
270     </row>
271     <identifiers>
272       <header_from>mydomain.com</header_from>
273     </identifiers>
274     <auth_results>
275       <spf>
276         <domain>xxxxxxxxxx.com</domain>
277         <result>softfail</result>
278       </spf>
279     </auth_results>
280   </record>
281   <record>
282     <row>
283       <source_ip>193.100.124.1</source_ip>
284       <count>24</count>
285       <policy_evaluated>
286         <disposition>none</disposition>
287         <dkim>fail</dkim>
288         <spf>fail</spf>
289       </policy_evaluated>
290     </row>
291     <identifiers>
292       <header_from>mydomain.com</header_from>
293     </identifiers>
294     <auth_results>
295       <spf>
296         <domain>xxxxxxxxxx.com</domain>
297         <result>softfail</result>
298       </spf>
299     </auth_results>
300   </record>
301   <record>
302     <row>
303       <source_ip>193.100.126.107</source_ip>
304       <count>3</count>
305       <policy_evaluated>
306         <disposition>none</disposition>
307         <dkim>fail</dkim>
308         <spf>fail</spf>
309       </policy_evaluated>
310     </row>
311     <identifiers>
312       <header_from>mydomain.com</header_from>
313     </identifiers>
314     <auth_results>
315       <spf>
316         <domain>mydomain.com</domain>
317         <result>permerror</result>
318       </spf>
319     </auth_results>
320   </record>
321 </feedback>

  1. Since DMARC passes when SPF or/and dkim passes. Can I assume that when I have at least one pass in auth_results, it means that in prod (dmarc quarantine or reject), this message would have passed? if not how can I see from this report which would have passed ?

  2. why I am still having fail (example line 282, 290) on spf even when 193.100.124.1 is in my dmarc policy

  3. What is the meaning of domain inside SPF or dkim result (example: line 36)?

  4. Why do some auth_results contain SPF and dkim and other only SPF?

  5. Why do some SPF have two result in array ?

    can you please help me understand better

Community
  • 1
dmx
  • 227
  • 3
  • 8

1 Answers1

6

Since DMARC passes when SPF or/and dkim passes.

This assumption is wrong. DMARC passes when SPF or/and DKIM passes and the passed SPF/DKIM is identity-aligned according to the DMARC policy.

Can I assume that when I have at least one pass in auth_results, it means that in prod (dmarc quarantine or reject), this message would have passed?

No, auth_results only shows the status of SPF and DKIM and does not show the status of identity-alignment. Only policy_evaluated shows the DMARC status by taking the information shown in auth_results and adding identity-alignment as specified in the DMARC policy.

What is the meaning of domain inside SPF or dkim result (example: line 36)?

This is the domain for the SPF/DKIM check which gets used when checking for identity-alignment. For SPF this is usually the domain from SMTP mail from command, for DKIM this is the domain attribute (d) in the DKIM signature. For DMARC identity alignment these domain must somehow match the From: line in the mail header, where "somehow" means exact match or sub-domain match depending on the DMARC policy.

Why do some SPF have two result in array ?

I don't see any such occurrences in your example. But it can happen if multiple mails servers were involved in delivery which each added their own information to the mail. And you can also have multiple DKIM signatures for the same reason.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424