2

I've recently setup a mail server, which will be handling email for multiple people and domains. Appropriate SPF, DKIM, DMARC and ADSP records have been added, yet I'm getting something confusing:

Authentication-Results: mx.google.com; spf=pass (google.com: domain of cydnie@redacted.com designates 6.101.56.24 as permitted sender) smtp.mailfrom=cydnie@redacted.com; dmarc=pass (p=QUARANTINE dis=NONE) header.from=redacted.com
Authentication-Results: de.mx.redacted.com; dmarc=fail header.from=redacted.com

As you can see I'm getting TWO Authentication-Results headers, the latter signifying a fail for some reason. My records are in order, as far as I'm aware:

SPF: "v=spf1 mx a ptr include:_spf.redacted.com ~all"
SPF: "v=spf1 ip4:6.101.56.24/32 ip4:10.10.33.109/32 ip6:2c03:10e0:3:a0::1bc9:2001/64 ~all"
DMARC: "v=DMARC1; p=quarantine; pct=100; rua=mailto:support@reacted.com; ruf=admin@redacted.com; fo=1; aspf=r; adkim=r"
ADSP: "dkim=all"

Any ideas?

HashHazard
  • 5,105
  • 1
  • 17
  • 29
Cydnie-Naomi
  • 21
  • 1
  • Why do you have an RFC1918 address in the SPF record? That may be causing an issue. It's also a security concern to expose internal networking addresses. Second, if you're redacting the domain name for security reasons, you may also want to redact the Public IP address as well. – HashHazard Sep 25 '16 at 13:53
  • I'll remove the RFC1918 address - it was for webmail stuff, but no longer needed. The public IP didn't need redacting, I changed it significantly! – Cydnie-Naomi Sep 25 '16 at 14:11
  • Huh, that didn't fix it, still getting double headers, with dmarc=fail. – Cydnie-Naomi Sep 25 '16 at 14:15
  • Yea i wasn't sure if that would fix that particular problem, but it couldn't hurt to remove it. – HashHazard Sep 25 '16 at 14:54
  • @Cydnie... Is your problem solved ? If no, then please update the issues you are facing right now. TXT record for your domain is now showing that you are using outlook.com for sending mails. `redacted.com. 145 IN TXT "v=spf1 include:spf.protection.outlook.com ~all"` – Gaurav Kansal Oct 30 '16 at 16:47
  • Definitely check DNS settings if not just to rule it out. – waffles Apr 28 '17 at 21:44

1 Answers1

1

Cydnie,

Are your DMARC records correct in DNS?

DMARC lookup applied to redacted.com does not return any DMARC records. rua=mailto:support@reacted.com: incorrect domain name? (should be reDacted.com)

Remove ADSP records. ADSP has been moved to historic: https://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/

pescator
  • 51
  • 3