4

I am using AWS SES (in sandbox mode) to send an email to a GMail address. Unfortunately it gets flagged as spam.

Google is nice enough to tell me in the message details that it is a DMARC failure

I read the official documentation : https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-authentication-dmarc.html

Here is what confuses me (quotes from that page) :

  • “In order to comply with DMARC, messages must be authenticated through either SPF or DKIM, or both.”
  • “By complying with one of these authentication systems, your emails will comply with DMARC”

My question is, why are both SPF and DKIM passing yet DMARC is failing?

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazonses.com header.s=REDACTED header.b=REDACTED;
       spf=pass (google.com: domain of REDACTED@eu-central-1.amazonses.com designates IP_REDACTED as permitted sender) smtp.mailfrom=REDACTED@eu-central-1.amazonses.com;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=QUARANTINE) header.from=example.com

The Return-Path ends in amazonses.com

(the DNS entries for SPF and DKIM on example.com are present).

Let me know if you need any additional information to get to the root of the issue

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
YannP
  • 163
  • 1
  • 5

2 Answers2

8

DMARC does not test if SPF or DKIM has passed, but one of them must both pass and be aligned with the domain used in the From: header. Here, SPF passed with eu-central-1.amazonses.com and DKIM with amazonses.com. They are not aligned with i.e. do not match your example.com, so DMARC fails.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • Thanks for the clarification! Now that the configuration is correct on the SES side there is a second dkim entry in the ARC-Authentication-Results headers with my domain, so it is aligned. – YannP Nov 11 '20 at 17:42
2

I figured it out.

I had set up the DKIM and SPF for the wrong AWS region.

I am still confused that it passed.

YannP
  • 163
  • 1
  • 5