4

I've seen this question asked before, but unfortunately, don't understand the responses. I think its something to do with "from" headers being defined differently by different standards. I've added all the domains in the "from" to SPF records, but DMARC is still failing.

I'm curious if anyone could help me specifically identify why this email passes both SPF and DKIM but fails DMARC.

Here is the screenshot of the email headers: https://ibb.co/ynqj6fm

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dedicated Managers
  • 141
  • 1
  • 2

3 Answers3

4

DMARC fails since the sender domain according to the From field of the mail header is different to the sender domain in the SMTP envelope (SPF validation) and different to the domain given in the DKIM signature. This means there is no alignment of the From domain with a valid DKIM or SPF - but such an alignment is required for DMARC to pass.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So it's not something I can fix by changing the SPF, DKIM or DMARC in their respective DNS entries? – Dedicated Managers Aug 20 '19 at 18:04
  • @DedicatedManagers: no, this does not help. – Steffen Ullrich Aug 20 '19 at 18:07
  • What can I do to fix the issue? – Dedicated Managers Aug 20 '19 at 18:26
  • Should that end "...such an alignment is required for _DMARC_ to pass"? – gowenfawr Aug 20 '19 at 18:30
  • @gowenfawr: You are right. I've fixed it. – Steffen Ullrich Aug 20 '19 at 18:31
  • 2
    @DedicatedManagers: You are using a mail provider with domain X to send mails with a `From` domain of Y. This is a typical behavior seen for malicious mail spoofing. If mail provider X supports this use case then he must be able to properly send mail in your name and should provide documentation on how you need to setup your systems in order to use this feature. Another way would be to run your own mail infrastructure first (i.e. before transferring the mail to provider X) and add the DKIM signature for your domain Y there. – Steffen Ullrich Aug 20 '19 at 18:34
2

This is complicated so here is a shot at explanation.

For DMARC to work, you need to alignment of either SPF or DKIM domains with the body from address. There are three places this matters.

  1. The body from address: quickpatents.com (5322.From)
  2. The DKIM domain: email-od.com (d=)
  3. the header.from address: emailcenterpro.com (RFC5321.MailFrom)

how many from addresses are there?

There are two - the message body and the smtp server's MailFrom address.

See: https://dmarc.org/2016/07/how-many-from-addresses-are-there/

how they all work

you set your "from address" in the message body. In this case it's you@quickpatents.com.

Right before your SMTP server contacts the remote SMTP server, it signs the message using DKIM, and specifies where the receiving server can find the public key to validate the DKIM. (this is the d= and s= part of the dkim signature).

then your email service sets the header.from address when it does the backend communication from your SMTP server to the recipient's SMTP server. There is a whole handshake happening that you don't need to worry about. (this is where it says the spf and server ip address).

an aside

It's amazing that you can legally send email with a made up body from address, any smtp spf address, and any dkim signature. Without aligning them, they are nearly pointless for email. There is a ton of machine learning to figure out which SMTP servers to trust, and which dkim domain signatures to trust.

looking at the dmarc

jon$ dig _dmarc.quickpatents.com txt +short
"v=DMARC1;p=none;pct=100;rua=mailto:dmarc.quickpatents.com@dedicatedmanagers.com,mailto:kevin@quickpatents.com;ruf=mailto:dmarc.quickpatents.com@dedicatedmanagers.com,mailto:kevin@quickpatents.com"

This says that there is no policy specified. Have a look here:

https://www.dmarcanalyzer.com/dmarc/dmarc-record-check/

looking at the dkim

It's looking up the signature and verifying against the dns entry.

jon$ dig dkim._domainkey.email-od.com txt +short
"k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDzpFrEAH9dbkLukLvwesHGWRDc+JCBkvzQYTpptOR+uz4brRd1V8VDPHPpQH7wRvNMhVh/LhTkPMBXtpJjeedqU2rfDlH8y81O+VweutuI4AHOfBL4PJSHNxZ1Qbw7D3+080AsoDXqphbSZXfi9wnSP5X5bcocLqW+1MwNq854wIDAQAB"

You need to host a dkim key at your domain quickpatents.com and point AWS to use it. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html

looking at the spf, these are the records looked up:

jon$ dig emailcenterpro.com txt +short
"v=spf1 include:email-od.com ~all"
jon$ dig email-od.com txt +short
"v=spf1 ip4:142.0.176.0/20 ip4:204.232.162.112/28 ip4:204.232.180.112/29 ip4:204.232.180.128/29 ip4:69.20.119.216/29 ip4:76.12.109.192/27 ip4:67.59.141.128/28 ip4:209.41.176.224/28 ip4:69.48.230.0/25 ~all"

The first ip4 is a mask that includes the smtp server ip address of 142.0.177.43, which is why SMTP passed.

You need to configure AWS to send a custom header.from that matches your sending domain, example, setup a header that maps .quickpatents.com to the AWS SMTP servers - see here for details: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html

Once they are all the same domain, dmarc will work.

Jonathan
  • 2,288
  • 13
  • 16
  • *"Once they are all the same domain, dmarc will work."* - Actually, either DKIM **or** SPF need to be valid and aligned, __not both__. Of course it does not harm to have both aligned in case one fails due to transport issues but it is not necessary. – Steffen Ullrich Aug 21 '19 at 06:05
  • You're right. Updating the answer. – Jonathan Aug 21 '19 at 13:54
  • Thanks for the detailed response! And thanks to your detailed response, I better understand the issue. However the resolution, I'm not understanding. I'll post a follow-up question in another comment. – Dedicated Managers Aug 22 '19 at 18:26
  • First, I'm not using AWS, I'm curious where you got that from (maybe the email provider "Email Center Pro" is using AWS that you discovered)? – Dedicated Managers Aug 22 '19 at 18:27
  • Solution 1) Change the body 5322.From to use either an "emailcenterpro.com" email address or an "email-od.com" email address. – Dedicated Managers Aug 22 '19 at 19:24
  • Solution 2) Get ECP to use quickpatents.com as its header.from/RFC5321 address. We'll then need to set up SPF records on the quickpatents.com dns to allow their servers ips to send emails. – Dedicated Managers Aug 22 '19 at 19:24
  • Solution 3) Get ECP to sign the DKIM using d=quickpatents.com and subsequently set up DKIM dns records on quickpatents.com with the correct dkim info. – Dedicated Managers Aug 22 '19 at 19:24
  • They may not be actually implementable but are those 3 solutions correct ways to get DMARC to pass? – Dedicated Managers Aug 22 '19 at 19:25
  • I saw the aws compute URL and assumed they were using AWS SES, which they probably are not. 4th option, setup SES yourself. But yeah, one of those 3 should work for you. – Jonathan Aug 24 '19 at 04:35
0

From message header I understand that mail was sent from Email Center Pro system -> smtp.mailfrom="184b.l0.terry=dedicatedmanagers.com@bounces.emailcenterpro.com"

which is built on SocketLabs' email infrastructure ->
a) https://toolbox.googleapps.com/apps/dig/#TXT/emailcenterpro.com
v=spf1 include:email-od.com ~all

b) Received: from sl-b12b.socket1abs.email-od.com (sl-b12b.socketlabs.email-od.com. [142.0.177.43])

c) dkim=pass header.i=@email-od.com header.s=dkim header.b=mYydBzjy

SocketLabs itself can be configured to send DKIM and SPF domain aligned emails. See below 2 links

a) https://help.socketlabs.com/docs/custom-dkim-signing-feature

b) https://help.socketlabs.com/docs/custom-bounce-domains

So, I guess the best step forward would be to contact Email Center Pro support and ask them to help with making you sent emails DKIM & SPF complaint (referring to your awareness that they use SocketLabs)

Btw, you have few issues with quickpatents.com domain SPF record syntax ->
https://easydmarc.com/tools/spf/quickpatents.com

P.S. You may also wish to deploy one of DMARC Analytics and Implementation solutions, listed on DMARC.org website, e.g. EasyDMARC

Zonder
  • 1
  • 1