How to fix DMARC alignment failure

Question

I'm sending emails via the Ionos mail servers.

I've got spf set up, but dmarc still fails.

This seems related to: Why is DMARC failing when SPF and DKIM are passing?

But I can't figure out how to fix it.

My dns records:

TXT @      "v=spf1 include:_spf.perfora.net include:_spf.kundenserver.de ~all"

TXT _dmarc "v=DMARC1;p=reject;pct=100;rua=mailto:postmaster@example.com"

The message:

Delivered-To: customer@gmail.com
Received: by 2002:ac9:3209:0:0:0:0:0 with SMTP id t9csp5365827occ;
        Mon, 29 Nov 2021 04:28:10 -0800 (PST)
X-Google-Smtp-Source: ABdhPJztBODq55DzGx9ecY7JOxSHSkiCAsmLPg2y8pp5UEZtbyOszCYUVZwLY8D9crP2Fb5iEw9j
X-Received: by 2002:adf:8bda:: with SMTP id w26mr33222031wra.534.1638188890595;
        Mon, 29 Nov 2021 04:28:10 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1638188890; cv=pass;
        d=google.com; s=arc-20160816;
        b=xjKATpxwLRDvvmOV5kUm/WpWt5kkCv+5uSawMkZYj0twBgWoXfSHcnpeCcRBtMSZkj
         Kc8+wXjQ3wgot7WUGojvkMrt/6CkLaCx15FyrvzOmW1Ze9BBc/baWAYFhmjfmdhiwhqV
         PXOX03hsrNreutE/SnuCifDmNioEbIzoqaj/ls5Yi5m1hhK+rShzoJ+sRD3vqFBzuTFN
         FCYzwGJGGpZbzfdFDGXUp58NTrGc+4MjxsFQKVH8/gZotABem9bCbgu471N6AkZpqLKa
         PTrRTg6G+bErXQJfDep7tzmVbS0ANsqiuOVnWPZ0EiItamk9/DfICL4xoGZg+FYmBrW6
         dvMg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=importance:content-transfer-encoding:mime-version:subject
         :message-id:to:from:date;
        bh=SxpiSrw1J7WezP/1/i8lCtuyzA7UZ3rHWWlonqyZ9+k=;
        b=TWx4EU2wcz4m7nCL6rpNMkWY6usE4rpy4W+Z89g9coE/mpba4+nv7zwCAcCuzcCNbe
         ePlrPR5lP8Am71PSFQyBttndHKSLqvaPU9QWldt7VPyRR+f16aNNhATPHHXOlHnUfTXz
         0PDN8FW3no9/t654TAAcF4vhNejZQXD/AmDiX6LsmG7NwRx4Tci2QN+9lSstZv9Edf53
         zSnXUNZBHBKmLM9uxNuxOKykMVFvktAAyJPa5SoAHrfeeWtr5mYx9sqb8556cP6H2m9W
         JsqFKFP9bPlGSxMsRJyqm9fLGpbIbaJswKmYjlDHtmQVwbENfF2u4KdByqrL7YYv0Fm7
         QrdQ==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=business.com dmarc=pass fromdomain=business.com);
       spf=pass (google.com: domain of srs0=jj3f+e=qq=business.com=info@srs.smtpin.rzone.de designates 85.215.255.5 as permitted sender) smtp.mailfrom="SRS0=JJ3f+E=QQ=business.com=info@srs.smtpin.rzone.de";
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=business.com
Return-Path: <SRS0=JJ3f+E=QQ=business.com=info@srs.smtpin.rzone.de>
Received: from mi4-p00-ob.smtp.rzone.de (mi4-p00-ob.smtp.rzone.de. [85.215.255.5])
        by mx.google.com with ESMTPS id k186si29824946wme.78.2021.11.29.04.28.10
        for <customer@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 29 Nov 2021 04:28:10 -0800 (PST)
Received-SPF: pass (google.com: domain of srs0=jj3f+e=qq=business.com=info@srs.smtpin.rzone.de designates 85.215.255.5 as permitted sender) client-ip=85.215.255.5;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=business.com dmarc=pass fromdomain=business.com);
       spf=pass (google.com: domain of srs0=jj3f+e=qq=business.com=info@srs.smtpin.rzone.de designates 85.215.255.5 as permitted sender) smtp.mailfrom="SRS0=JJ3f+E=QQ=business.com=info@srs.smtpin.rzone.de";
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=business.com
ARC-Seal: i=1; a=rsa-sha256; t=1638188890; cv=none;
    d=strato.com; s=strato-dkim-0002;
    b=Y0FXEZ/PHzEfF+cjiz1IHYn8BXYuNWtzQcmRFZ+lH82WdGyNmh36xRIM6Of1SOQTUo
    naeXlE5jLps6ciN+Ft2BPOqQ5pfMJuiC8dpiGb0YbTO2b1ZCIIKKvhCDJB5jWx4wB0hg
    9/fn6iUnkNgChBOQFsVy8mKmUOlrP+i34yv+YintSLHXeBcMywxO78mocAssGO+Y1etB
    6k4bTf3IsFKFoVqo59Riv2I7YTRuFKcBMjjU6QXkjfQGk4ucsSGEwrGapxGUL/ywRxQ8
    jg7zRfDozQOtu0y6E5bI5pBlHcgsAlBP4e12H9pcKJZmqDAsiBhyPOYZ3hTmFF8FGQYb
    b7rA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1638188890;
    s=strato-dkim-0002; d=strato.com;
    h=Subject:Message-ID:To:From:Date:Cc:Date:From:Subject:Sender;
    bh=SxpiSrw1J7WezP/1/i8lCtuyzA7UZ3rHWWlonqyZ9+k=;
    b=Aruxt7PYnioLPjpuz9W9HLOKsyEdwM7wg03bSQQoo1POUaUjfp2LJML5e9UIXrxxtF
    g7mT1l0HEPs5IvFUs3RT9/1BPHYIFzUJPtQ2b40gdONc/ct3KqAZkcbt42F4iqAC6PSx
    LBJGnfzkie8UCvQm7N9kqFMzner/ytTQNyRVjEolI14srGeFqDH6oROBe3ov9BmAE5Xm
    9I2BAlrn+9mMHTfeRDNvV6eZG4nDmBobLymbxEbTMarXxREHcB4vsiXjuDumCwgM7+uf
    hsTdVg6iteiVvhPwrX4d94l8YnQaZmu1VWGOTHr+7A4wfVw9R5sKEkMl9k+ufdCxLSYm
    s9PA==
ARC-Authentication-Results: i=1; strato.com;
    dmarc=pass (p=NONE sp=NONE) header.from="business.com";
    dkim=none;
    dkim-adsp=none;
    spf=pass smtp.mailfrom="info@business.com"; x-fwd=pass
X-RZG-FWD-BY: contact@customer.com
Received: from localhost ([unix socket]) by mailin.rzone.de (RZmta 47.34.10) with LMTPS; Mon, 29 Nov 2021 13:28:06 +0100 (CET)
Authentication-Results: strato.com;
    dmarc=pass (p=NONE sp=NONE) header.from="business.com";
    dkim=none;
    dkim-adsp=none;
    spf=pass smtp.mailfrom="info@business.com"
X-RZG-Expurgate: clean/normal
X-RZG-Expurgate-ID: 149500::1638188886-00002087-ACA24CAE/0/0
X-RZG-CLASS-ID: mi00
Received-SPF: pass
    (strato.com: domain business.com designates 212.227.126.134 as permitted sender)
    mechanism=ip4;
    client-ip=212.227.126.134;
    helo="mout.kundenserver.de";
    envelope-from="info@business.com";
    receiver=smtpin.rzone.de;
    identity=mailfrom;
Received: from mout.kundenserver.de ([212.227.126.134])
    by smtpin.rzone.de (RZmta 47.34.10 OK)
    with ESMTPS id i04ad6xATCS66Kg
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
    (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass Class 2 CA" (verified OK (+EmiG)))
        (Client hostname verified OK)
    for <contact@customer.com>;
    Mon, 29 Nov 2021 13:28:06 +0100 (CET)
Received: from oxbaltgw60.schlund.de ([172.19.246.147]) by mrelayeu.kundenserver.de (mreue011 [213.165.67.97]) with ESMTPSA (Nemesis) id 1M8Qme-1mw5bi2Que-004UxE for <contact@customer.com>; Mon, 29 Nov 2021 13:28:06 +0100
Date: Mon, 29 Nov 2021 13:28:06 +0100 (CET)
From: Ahmet Darici <info@business.com>
To: "contact@customer.com" <contact@customer.com>
Message-ID: <1918218012.571336.1638188886177@email.ionos.de>
Subject: hallo2
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.4-Rev27
X-Originating-Client: open-xchange-appsuite
X-Provags-ID: V03:K1:mRRBqUrPizASBMiljn9US5sIpVthQQk5eU4w/v8FViigHH+/wxb ePGBV5f7WprkdRR/47IvNJPLiNJCQjHxmLQ0WMGnE6nTi399TlP3ZccrkV8FQVM2cJcGFBY qFSW0OsUH7vafzJrY0gsods16/cjM6ezspVdhLkAD4gf8d6PHGxmTUzza5L0rLXZmW6vQLF JR3kvn4tz4RL5cGEs8A7A==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:WHzLx0AsRV0=:ed+ZH/VC2G9UgLcjpvN82W 4agUkiqKMYdoOHbBlgd/xzxFnFPVCNem5MmZp8t2wEQaRtUNqmo6IC0k6o0QVKEQbGmnnVYBP XMLzL3SvQ6XqVG0bMAdmfMk44WJa6roKc1bXkA2YoaUfVGWnGvI4qt1mfsZUVo51T6hzQKLmb 7pfhv+UtzhzGofs1fSzcyeIizTh2WWisGCLOI+Hbh1LgCY3m41kX9YBKqm5+Vi1vCwTrtSgSA zNbc6SUW8ge06NpUF1NXmtjQu+/vHDc09GJNLoMxN0vy43SMCKiTDpwV6I5WH9pQ2L9ksaZj8 uUdysqOT8H/GXnFslqh9tkHcv38huIuLbEMMzDLFEoe/q+0IPEuP3sp4YSqA0wXLLxmSu6IPq xzH/KaxlgWOUhsRfJni/s3dgUVGf6Nq0FfeThS46doK4yyarQNxNBD1vR6I7FV5zRa/gxiwvg 74CFYcTZyp3PYjd8DaaIRW08fD5shrD3Ec+o/PgjrbNeHnJwp3/d4/1wrbqIvCkKvzfnEtu57 Bgyv21dD4QimzKsrimop6Kr3HxxmpB/3s2iJybQADFVvVOc7c1rpqzBriYmMAAaampHJmNry4 5tS02FBH8Xz+pqBsVsxCmJv4hSCnzgjF8orHVzN0CGvucKlfbut7N/irkksntGkxEgtSvj8AR FPbGYwwviGgGr2g10z+Ctu4YbiztsYUG9h1ISoQAEdOBa0wb2P7aBcBNtyLEyFp+cQUrwdWOr ImQ4TpYj6zusrb+g

<!doctype html>
<html>
 <head> 
  <meta charset="UTF-8"> 
 </head>
 <body>
  <div style="" class="default-style">
   hallo2
  </div>
 </body>
</html>

Answer 1

This problem seems to be introduced by mail forwarding. It looks like the original mail was sent to the customers domain hosted by strato.com and from there automatically forwarded to a gmail.com address. While the original SMTP sender of business.com was aligned with the From header in the mail, this alignment got lost due to a change of the SMTP sender during mail forwarding.

Breaking SPF in one way or another is a known problem with mail forwarding and there is no way to fix it. Instead DKIM should be used for cryptographic proof that the mail was send using a mail server responsible for the sender domain business.com. DKIM signatures will still be valid after forwarding, as long as the mail is not changed significantly. Since DMARC will pass if either SPF or DKIM passes a valid and aligned DKIM signature will make the non-aligned SPF irrelevant.

Adding DKIM must be done at the outgoing mail server responsible for business.com. In addition a special DNS entry within the domain must be setup which contains the public key needed to validate the DKIM signature.

Answer 2

The failure is correct, based on the provided message headers which include:

Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=business.com dmarc=pass fromdomain=business.com);
       spf=pass (google.com: domain of srs0=jj3f+e=qq=business.com=info@srs.smtpin.rzone.de designates 85.215.255.5 as permitted sender) smtp.mailfrom="SRS0=JJ3f+E=QQ=business.com=info@srs.smtpin.rzone.de";
       dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=business.com

Since smtp.mailfrom="SRS0=JJ3f+E=QQ=business.com=info@srs.smtpin.rzone.de" (SPF-authenticated organizational domain is rzone.de) and header.from=business.com (RFC5322.From organizational domain business.com) are not the same, the DMARC test fails.

The email needs to have the RFC5322.From organizational domain match the SPF-authenticated organizational domain.

However, it does not appear you have provided the actual domains:

$ dig +short txt _dmarc.business.com
"v=DMARC1; p=quarantine; pct=100; rua=mailto:85ed4cbf@mxtoolbox.dmarc-report.com,mailto:helpdesk@business.com; ruf=mailto:85ed4cbf@forensics.dmarc-report.com,mailto:helpdesk@business.com; fo=1"

It is impossible to know this answer is correct due to GIGO.