dmarc is failing for alias domain hosted in AWS’s DNS-Route 53

Question

We have a problem with _dmarc record for our alias domain. We use AWS’s DNS-Route 53 and Google Apps. When sending an email from the primary domain, _dmarc passes validation. But when sending from the alias domain, it fails.

This is the header of an email sent from the primary domain:

From:   Caroline<caroline@primarydomain.com.br>
To:     caroline@anotherdomain.com
SPF:    PASS with IP 209.85.220.41
DKIM:   'PASS' with domain primarydomain-com-br.20150623.gappssmtp.com
DMARC:  'PASS'

And this is the header when using the alias domain:

From:   Caroline<caroline@aliasdomain.com>
To:     caroline@anotherdomain.com
SPF:    PASS with IP 209.85.220.41
DKIM:   'PASS' with domain aliasdomain-com.20150623.gappssmtp.com
DMARC:  'FAIL'

We have already tried several different options for the dmarc record in the alias domain. We are not applying policies, p=none, and we have already checked the record using some online tools. They all report the record as valid. We have even tried redirecting the SPF record ("v=spf1 redirect=primarydomain.com.br").

We have other two domains that uses GoDaddy's DNS, one is the primary, the other is an alias, and email is also hosted in Google Apps. For these two domains dmarc always passes.

This is the header from the primary domain:

From:   Caroline<caroline@primarydomain.com>
To:     caroline@anotherdomain.com
SPF:    PASS with IP 209.85.220.41
DKIM:   'PASS' with domain primarydomain.com
DMARC:  'PASS'

And this is the header from the alias domain:

From:   Caroline<caroline@aliasdomain.com>
To:     caroline@anotherdomain.com
SPF:    PASS with IP 209.85.220.41
DKIM:   'PASS' with domain aliasdomain.com
DMARC:  'PASS'

In both comparisons, the Return-Path is set to the primary domain:

Return-Path: <caroline@primarydomain.com>
Return-Path: <caroline@primarydomain.com.br>

The only difference we could spot between the two comparisons is the DKIM record:

DKIM:   'PASS' with domain primarydomain-com-br.20150623.gappssmtp.com
DKIM:   'PASS' with domain aliasdomain-com.20150623.gappssmtp.com
DKIM:   'PASS' with domain primarydomain.com
DKIM:   'PASS' with domain aliasdomain.com

We are wondering if the ".20150623.gappssmtp.com" appended to the domain for the DKIM record (AWS) could be the problem, because it seems to be the only difference between AWS's and GoDaddy's DNS configuration.

How can we configure the DNS records in AWS to fix this issue?

We suspect the issue with the dmarc record is the reason why ALL of the emails we send to @hotmail.com and @outlook.com end up in junk folder.

Help is very much appreciated.

Thanks in advance, Caroline

Answer 1

In DMARC, the domain used in the From: header must align i.e. match with one or both:

• the domain used in RFC5321 MAIL FROM i.e. the Return-Path, with passing SPF test
• the domain used in (verified) DKIM signatures d= signing domain.

In strict mode an exact match is required, and the relaxed mode will pass with a matching organizational domain, i.e. it could have a different subdomain.

Here, you don't have a proper alignment, as the domain used in DKIM signature is cogniapp-com.20150623.gappssmtp.com, and you sait that the the envelope sender is the main domain, supposedly

Return-Path: <caroline@carolineoliva.com>
From:   Caroline Oliva <caroline@cogniapp.com>
To:     carol@carolineoliva.com
SPF:    PASS with IP 209.85.220.41
DKIM:   'PASS' with domain cogniapp-com.20150623.gappssmtp.com
DMARC:  'FAIL'

So you must change the return path and DKIM signature to match the cogniapp.com. The DKIM signature is even more important, as it's the only method that could survice forwarding.

Also notice that the failing DMARC doesn't cause any actual harm, because all your domains are currently set to "v=DMARC1; p=none" meaning no action should be taken based on the DMARC test.