2

I recently received a DMARC report from Google alerting me of a few SPF failures with mail originating from IP addresses belonging to Amazon SES. A sample record is as follows (I have replaced our domain with example.com.):

  <record>
    <row>
      <source_ip>54.240.27.187</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>mail.example.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

Is SPF failing because the header_from value is example.com while the SPF domain value is mail.example.com?

We use Amazon WorkMail and Amazon SES to send both manual and automated email. The From address is usually webmaster@example.com, and we have set our MAIL FROM domain to mail.example.com. Therefore I am a little puzzled as to why Google would report the header_from domain as example.com rather than mail.example.com. We have set an appropriate SPF record for both example.com and mail.example.com.

Also, I tried sending test emails to a Gmail address using both Amazon WorkMail and Amazon SES. In both cases, SPF passed, as did DKIM and DMARC.

Leo Galleguillos
  • 147
  • 7
  • 2
    It appears the DMARC test failed on SPF, which is not the same as failing an SPF test. You didn't post your DMARC records - do you configure adkim or aspf as strict? – Paul Nov 08 '21 at 19:41
  • 1
    Yes, both adkim and aspf are set to strict. Our DMARC record is as follows: `v=DMARC1; p=reject; rua=mailto:webmaster@example.com; ruf=mailto:webmaster@example.com; adkim=s; aspf=s; pct=100` – Leo Galleguillos Nov 14 '21 at 20:04

1 Answers1

2

DMARC compares the RFC5322.From domain with the SPF-authenticated domain. In your report, we can see that the RFC5322.From domain is example.com and the SPF-authenticated domain is mail.example.com.

The aspf tag is used to indicate whether the DMARC SPF alignment test should be strict (s) or relaxed (r), with relaxed being the default.

A DMARC record set with aspf=r value or no aspf tag will verify the RFC5322.From organizational domain matches the SPF-authenticated organizational domain. Your record would pass with this alignment because the organizational domains example.com for both.

A DMARC record with aspf=s value will verify an exact DNS domain match for the RFC5322.From domain and the SPF-authenticated domain.

The DMARC test has failed because aspf=s is configured in your DMARC record and the RFC5322.From domain of example.com and the SPF-authenticated domain of mail.example.com are not the same.

Paul
  • 2,755
  • 6
  • 24
  • 35
  • 1
    Thank you. Btw, https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-authentication-dmarc.html says to "Ensure that your sending domain uses a relaxed policy for SPF." So, although we wanted a strict policy for security, I guess we will need to make this relaxed for now. – Leo Galleguillos Nov 14 '21 at 20:29
  • You could set a strict DMARC policy on the subdomain and use that as the From so the domains align and use for mail deemed critical even though it looks, well, how it looks. Assuming that option is compatible with their service. – Paul Nov 14 '21 at 20:38
  • Thank you. However, we need to send mail from `webmaster@example.com` and not from `webmaster@mail.example.com`, and the `MAIL FROM` domain must be `mail.example.com`, so I don't think is possible in our case. – Leo Galleguillos Nov 16 '21 at 05:18