3

I have set up my company dmarc. It is in test mode and I regularly receive reports. Some seem weird to me and I would like to understand. For example, I have received a report with SPF and dkim failed, but the result is passed. I would like to go into prod. But I am not really confident because the result seems unpredictable: Here is a sample of xml record.

<record>
    <row>
        <source_ip>1.2.3.4</source_ip>
        <count>1</count>
        <policy_evaluated>
            <disposition>none</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
        </policy_evaluated>
    </row>
    <identifiers>
        <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
        <spf>
            <domain>otherdomain.com</domain>
            <result>pass</result>
        </spf>
    </auth_results>
</record>

My IP 1.2.3.4 sent an email with the from header equal mydomain.com to the domain otherdomain.com.

otherdomain.com considers this email as having valid dmarc.

Here is my config:

<policy_published>
   <domain>mydomain.com</domain>
   <adkim>r</adkim>
   <aspf>r</aspf>
   <p>none</p>
   <sp>none</sp>
   <pct>100</pct>
</policy_published>

My SPF record: mydomain.com text = "v=spf1 ip4:1.2.3.4 ip4:1.2.3.5 ip4:1.2.3.5 ip4:1.2.3.6 ip4:1.2.3.7 ip4:1.2.3.8 ip4:1.2.3.9 ip4:1.2.3.10 ip4:1.2.3.11 include:mydomain.com include:subdomain.mydomain.com -all"

Why is this? I don't understand why it is passing. Can someone explain it to me, please?

schroeder
  • 123,438
  • 55
  • 284
  • 319
dmx
  • 227
  • 3
  • 8
  • ok - then it passes SPF: `ip4:1.2.3.4`. It does not pass the policy config, but passes the actual SPF. – schroeder Oct 09 '17 at 09:27
  • @schroeder thanks. Since it passes SPF, is there any reason why the SPF result is false? – dmx Oct 09 '17 at 09:31

1 Answers1

2

TL;TR: someone send a mail with the SMTP envelope of otherdomain.com but the mail header From mydomain.com. Since the SPF check passed for otherdomain.com it might have been someone from otherdomain.com which tried to spoof the sender to mydomain.com.

<identifiers>
    <header_from>mydomain.com</header_from>
</identifiers>

This means that the From of the mail shows mydomain.com as the sender domain. This is the domain expected in SPF and DKIM records for identifier alignment.

<auth_results>
    <spf>
        <domain>otherdomain.com</domain>
        <result>pass</result>
    </spf>

This is a successful SPF record. The success of this record is only seen in relation to the SPF specification and not in the context of DMARC as can be seen from RFC 7489 Appendix C:

<!-- This element contains DKIM and SPF results, uninterpreted
    with respect to DMARC. -->
<xs:complexType name="AuthResultType">

Only it the email address in the SMTP dialog ("SMTP envelope") used otherdomain.com. Since otherdomain.com is not mydomain.com the identifier alignment fails and thus:

    <policy_evaluated>
        ...
        <spf>fail</spf>
    </policy_evaluated>

policy_evaluated is the result based on DMARC as can be seen from the specification:

<!-- Taking into account everything else in the record,
     the results of applying DMARC. -->
<xs:complexType name="PolicyEvaluatedType">
Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    Do you have any sources for the specifications here? I was having trouble finding docs to map all that out. – schroeder Oct 09 '17 at 11:33
  • 1
    @schroeder: [RFC 7489, Appendix C](https://tools.ietf.org/html/rfc7489#appendix-C). Not an easy read though. – Steffen Ullrich Oct 09 '17 at 15:35
  • 1
    Yeah, I've been really trying to get my head around these specifications so I can teach others, and it is NOT easy. Thanks for the update. – schroeder Oct 09 '17 at 16:17
  • @SteffenUllrich, @schroeder : can you please confirm me that when I have spf in the result (``), this means that spf is aligned. when I have dkim in result, this means that dkim is aligned. When I have both, it means that spf and dkim aligned. In the other hand, when on of bot h passes, this means that dmarc pass – dmx Oct 14 '17 at 11:12
  • @dmx: `auth_results` make no statement regarding alignment but only show the results of SPF and DKIM checks, which don't include alignment by themselves. In fact in your example there is no alignment as you can see from the non-matching domains. See `policy_evaluated` if SPF and or DKIM was both valid according to SPF/DKIM specification and also aligned according to DMARC specification and your policy. – Steffen Ullrich Oct 14 '17 at 11:28
  • @SteffenUllrich: Can you tell me how to deduce dmarc result from this example ` relay01.example.com neutral none `? in this https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ site, dmarc passes when spf and/or dkim pass. why does why does something `auth_results` contain spf and dkim, but sometimes spf and DKIM. – dmx Oct 14 '17 at 17:45
  • @dmx:This is actually a different question and should be better asked as such. In short: you cannot deduce the dmarc result from `auth_results` alone but you need the dmarc policy too. But in this specific example neither dkim nor spf got a pass thus dmarc cannot pass too. And the blog does not say that spf and/or dkim must pass but that they must pass __and be aligned__. – Steffen Ullrich Oct 14 '17 at 19:08