0

I've recently started configuringn and using DMARC reports and I have the following question. How can the DKIM domain not be my domain (and pass)?

I have the following report

 <record>
  <row>
    <source_ip>185.53.XXX.XXX</source_ip>
    <count>1</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>fail</dkim>
      <spf>fail</spf>
      <reason>
        <type>forwarded</type>
        <comment>looks forwarded, not quarantined for DMARC</comment>
      </reason>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>mydomain.com</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>customer.co.uk</domain>
      <result>pass</result>
      <selector>default</selector>
    </dkim>
    <spf>
      <domain>gmail.com</domain>
      <result>softfail</result>
    </spf>
  </auth_results>
</record>

We send an email to a customer, the source_ip is not from my domain but related to the customer email server. And the DKIM domain is the one of the customer (and the DKIM passes). I understand that the report is not about an my company sent but that the customer sent ( probably forwarding an email we sent).

The first question is, why is this showing at all in my report ? Is that because, is that because it forwarding an email from me (in the From field). In that case, is the DKIM mine or the customer one. Similarily, which SPF and DMARC rules are being used, those of my domain or of the customer domains ?

mb14
  • 103
  • 3

1 Answers1

1

why is this showing at all in my report

Because the customer had your address as sender of this mail (From in Mail header) and so DMARC was checked against your domain.

In that case, is the DKIM mine or the customer one.

Since it was sent over the customers mail server it is the DKIM from the customer or whatever service is used by the customer. In case of mail redistribution the mail might still contain the original DKIM headers from you too, i.e. contrary to SPF the DKIM can survive forwarding.

which SPF and DMARC rules are being used

The SPF policy depends on the sender domain given in the SMTP envelope (not Mail header). With DKIM each mail server on the way might add its own DKIM header, i.e. it is not uncommon to have multiple DKIM headers for different domains involved in the transport. For DMARC are only these SPF and DKIM information relevant, where the domain is aligned with the domain inside the From of the mail header. Everything else gets ignored.

As to how to read the DKIM report:

  <identifiers>
    <header_from>mydomain.com</header_from>
  </identifiers>

This means any DKIM or SPF information it will use in DMARC validation must align with the domain mydomain.com.

  <auth_results>
    <dkim>
      <domain>customer.co.uk</domain>
      <result>pass</result>
      <selector>default</selector>
    </dkim>

This means there was a single DKIM signature, issued by the domain customer.co.uk. Since this does not match mydomain.com the DKIM check will fail, which is reflected in the policy_evaluated section.

    <spf>
      <domain>gmail.com</domain>
      <result>softfail</result>
    </spf>

This means that the SMTP envelope sender was for the domain gmail.com. Since this does not match mydomain.com the SPF check will fail, which is reflected in the policy_evaluated section.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • So, DMARC is checked from the Mail header (mine) and SPF from the host sending the email (the customer's). Am I right ?. DKIM can be both, but the report shows only one (or both ?) In policy_evaluated DKIM fails but it passes in auth_results ... – mb14 Sep 15 '22 at 13:16
  • @mb14: *"Am I right ?."* - I'm not sure since the wording you use might be interpreted in various ways. DMARC is trying to verify the sender domain shown in the mail client - which is the "From: ..." in the mail header. SPF is using the domain from the SMTP dialog, also called envelope sender - which is not displayed in the mail client. With DKIM a mail server involved in the delivery can add a signature to the mail which can be verified by getting the public key for the signature from the domain specific DNS. – – Steffen Ullrich Sep 15 '22 at 13:54
  • Thanks. Does dkim=failed in policy_evaluted refers to my DKIM or customer DKIM. Same question for auth_result/dkim/result. – mb14 Sep 15 '22 at 13:56
  • @mb14: There was no DKIM signature from your domain in the mail. See also the updated answer. – Steffen Ullrich Sep 15 '22 at 14:10
  • I see. If they were multiple DKIM signatures, would we have multiple dkim entries in auth_result. Final question, has the email been delivered (ie has the forward succeeded ?) – mb14 Sep 15 '22 at 14:25
  • @mb14: if there are multiple DKIM signatures then there are multiple entries in the report. *"has the email been delivered"* - based on `none` the policy is none, i.e. no action are done on DMARC fail. This does not mean that the mail was delivered, it only means that it was not blocked due to DMARC. The DMARC report makes no statement about the status of the mail delivery, only about the result of the DMARC evaluation,. – Steffen Ullrich Sep 15 '22 at 14:44
  • Ok, I've setup p=quarantine, but dispositon is none (instead of quarantine) because the receiving server decided to override my policy because it is a forward (thus reason=forward). – mb14 Sep 16 '22 at 10:51