4

A DMARC aggregate report which I received reads (irrelevant pieces removed, domains changed):

 <record>
    <row>
      <policy_evaluated>
        <disposition>none</disposition> 
        <dkim>pass</dkim> 
        <spf>fail</spf> 
      </policy_evaluated>
    </row>
    <auth_results>
      <dkim>
        <domain>mail-provider.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>subdomain.mail-provider.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

I do not understand why evaluated DMARC policy is fail with respect to SPF. As <auth_results> show, SPF by itself validates. AFAIK, in this case the DMARC failure can be only caused by passed SPF identity not being identity-aligned according to DMARC policy. But how could it happen in my case?

The DMARC RFC 7489 reads:

Identifier Alignment: When the domain in the RFC5322.From address matches a domain validated by SPF or DKIM (or both), it has Identifier Alignment.

  • Domain in the "From:" field is mycompany.com.
  • SPF record for mycompany.com is include:mail-provider.com.
  • SPF record for mail-provider.com contains a range of IP addresses they use to send mail from. The mail has arrived from an address in that range.
  • DMARC policy for mycompany.com does not require "strict" alignment for SPF.

I thought that the "passed SPF identity" in this case is mail-provider.com, for DMARC to pass it needs to align with subdomain.mail-provider.com, and it does so in "relaxed" mode. What am I missing?

Community
  • 1
Konstantin Shemyak
  • 639
  • 5
  • 12
  • Test your configuration using https://www.mail-tester.com/ and post the results here. – Brad May 16 '19 at 18:53

1 Answers1

4

Relaxed in DMARC doesn't mean completely liberated, but has limitations.

From RFC 7489, 3.1.2 SPF-Authenticated Identifiers (emphasis is mine):

In relaxed mode, the [SPF]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment.

The algorithm to determine the Organizational Domain is specified in section 3.2, but basically the Organizational Domain is just your domain (including TLD) e.g. example.com is the Organizational domain for all a.b.c.d.example.com.

Thus, since com is an IANA-registered TLD, a subject domain of a.b.c.d.example.com would have an Organizational Domain of example.com. The process of determining a suffix is currently a heuristic one. No list is guaranteed to be accurate or current.

This means that the relaxed alignment for From: user@example.com would pass if the envelope sender used in SMTP MAIL FROM command was something like newsletter@mail-provider.example.com as the organizational domain for both is the same, but example.mail-provider.com has a different organizational domain and fails.

So, what's the solution?

  1. You don't necessarily have to do anything. DMARC passes if either SPF or DKIM passes.
  2. If you want both to pass, the mail provider has to use your domain or its subdomain as the envelope sender. That should be possible, as you already have include:d their SPF in your SPF record.
Community
  • 1
Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • _the mail provider has to use your domain or its subdomain as the envelope sender._ --- This sentence answers my question! I incorrectly assumed that the mail provider *does* use my domain as the envelope sender, because DKIM alignment passes. But DKIM does not check RFC5322.From at all! – Konstantin Shemyak May 16 '19 at 20:21
  • 2
    DKIM works on the content level while SPF works on the SMTP protocol level. Therefore, DMARC+SPF checks whether the envelope sender is correctly aligned with the `From:` header while DMARC+DKIM compares the DKIM signature with the `From:` header. – Esa Jokinen May 16 '19 at 20:31