0

I have set up a postfix which sends emails.

I have configure spf, dkim and dmarc (with p=none).

I have checked with mail-tester: spf and dkim work fine.

I have set up a dmarc rua in order to receive dmarc reports.

I have seen something strange in rua reports:

Sometimes SPF and DKIM are OK.

And sometimes DKIM fails (whereas SPF is good). My question is: How can this be possible ?

Thanks

Bob5421
  • 337
  • 2
  • 8
  • 13
  • 1
    There can be many reasons for this, so more information is required to answer your question. Does the RUA report fail only with specific receiving servers? Does it ever pass with those servers? See if you can get a user account there and send emails to see why DKIM fails. Does all of your mail get sent by the same server? You might have a server sending mail that isn't configured correctly. – Paul Jan 13 '22 at 13:43
  • It is specific for some receiving server. But it works for other servers. I don't know how dkim can work on some receiving server and not on other. If my dkim configuration was wrong it will never work, for any server. Thanks – Bob5421 Jan 13 '22 at 13:50
  • 3
    @Bob5421 Consider providing examples with the full output, with headers, of a simple test email to a recipient that works, and one that does not. – ceejayoz Jan 13 '22 at 13:52
  • 1
    Ideally, you get the headers of the email that is failing the test. – Paul Jan 13 '22 at 13:52
  • 3
    "If my dkim configuration was wrong it will never work, for any server." This statement is patently wrong. There are configuration problems which may break DKIM selectively for some but not all receiving servers. – Tilman Schmidt Jan 13 '22 at 18:38

1 Answers1

4

SPF and DKIM are completely different mechanisms which can fail independently. SPF checks whether the host delivering a message is allowed to send mail with that sender domain. DKIM checks whether the mail was authorized by the domain owner.

So all four OK/FAIL combinations are possible:

  • SPF ok, DKIM ok: The mail is delivered to its destination by a server that is authorized to send mail from that domain, and its DKIM signature validates correctly.
  • SPF ok, DKIM fail: The mail is delivered by an authorized server but validation of its DKIM signature fails, for example because the key is invalid or unavailable.
  • SPF fail, DKIM ok: The mail's DKIM signature validates correctly but the sending server is not authorized to deliver it, for example because it has been forwarded.
  • SPF fail, DKIM fail: The mail is neither coming from an authorized sending server nor does its DKIM signature validate, for example because its sender domain is spoofed.
Tilman Schmidt
  • 3,778
  • 10
  • 23