DMARC is blocking email that seems like it should be allowed

Question

This is the DMARC record we have set

v=DMARC1; p=reject; rua=mailto:[redacted]@coinbase.com; adkim=r; aspf=s

So we are rejecting any not match with SPF strictly, and DKIM is relaxed.

Here is the SPF record:

v=spf1 mx ptr include:_spf.google.com include:amazonses.com include:servers.mcsv.net ip4:216.146.46.11/24 ip4:54.240.0.0/16 -all

servers.mcsv.net is the relevant one here, this is for MailChimp.

Now, when mailchimp sends emails, here are the relevant headers (taken from before we had DMARC set to reject):

Delivered-To: [redacted]@gmail.com
Return-Path: <bounce-mc.us5_10399111.473393-[redacted]=gmail.com@mail43.atl11.rsgsv.net>
Received: from mail43.atl11.rsgsv.net (mail43.atl11.rsgsv.net. [205.201.133.43])
        by mx.google.com with ESMTP id j28si35440183yha.171.2014.05.21.09.07.49
        for <[redacted]@gmail.com>;
        Wed, 21 May 2014 09:07:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce-mc.us5_10399111.473393-[redacted]=gmail.com@mail43.atl11.rsgsv.net designates 205.201.133.43 as permitted sender) client-ip=205.201.133.43;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of bounce-mc.us5_10399111.473393-[redacted]=gmail.com@mail43.atl11.rsgsv.net designates 205.201.133.43 as permitted sender) smtp.mail=bounce-mc.us5_10399111.473393-[redacted]=gmail.com@mail43.atl11.rsgsv.net;
       dkim=pass header.i=@mail43.atl11.rsgsv.net;
       dmarc=fail (p=NONE dis=NONE) header.from=coinbase.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail43.atl11.rsgsv.net;
 h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=[redacted]=3Dcoinbase.com@mail43.atl11.rsgsv.net;
 bh=o5A5eXnTv4l6rsLeAnZJnMWMM68=;
 b=TuFkaiUuroZ81dqLE6inBqApDru17Je2eBBRhPSwcLjFqSnQYasdQeoKdSseroRiNsVwR2l+VMgo
   AjDCgEcXlmKQ1OZwgFJRoy/YKcV2aWfAaNttoLg/Ia1mqRVI+KOA6CIHE+1sbjc8vGdbkxHpnhkw
   vyKFBZn8BdHmLyBUr88=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=gmail.mcsv.net;
 h=Subject:From:Reply-To:To:Date:Message-ID:X-Feedback-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version;
 bh=o5A5eXnTv4l6rsLeAnZJnMWMM68=;
 b=pUJSVxxUhdCyKquMzC3XoV8/vdntYc9D9PPEi8+kGHPzyX9JYz2abxclEKparO5titfvKxda7K6R
   m65UTHrkFeMh+lQw7KruA0YBI4ixq07xVUiQkyZRTTuV8oW0R1a/gwWqr4zCnrHbgBmtSg1lKRWF
   Zo4frwnJ67K8gPd/Qlk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail43.atl11.rsgsv.net;
 b=WU6GQW9PExrQou81SYai+uiOzWU9FjHdzXPh2NA+g0aKjcDx08ujAcfkOjLRtD6ceTEwdS4GNeyc
   3iwdIXMjwYN1qDzo4Ug3yeKCTjidqcjdxJcRN1pBJ6Dq+bsGkcNiwlh7cFlmTSQEeIobmRCO3FEA
   mEJ3ZB59fs0X9VhAiiw=;
Received: from (127.0.0.1) by mail43.atl11.rsgsv.net id hfj7la1lgi03 for <[redacted]@gmail.com>; Wed, 21 May 2014 16:07:09 +0000 (envelope-from <bounce-mc.us5_10399111.473393-[redacted]=gmail.com@mail43.atl11.rsgsv.net>)
Subject: =?utf-8?Q?Posts=20from=20The=20Coinbase=20Blog=20for=2005=2F21=2F2014?=
From: =?utf-8?Q?The=20Coinbase=20Blog?= <[redacted]@coinbase.com>

You can see DMARC failed. But I don't understand why. The SPF record passes. DKIM does also (although we have that requirement relaxed here).

Maybe I'm misunderstanding something about DMARC, but it seems like this should work.

Thank you for the help!

Answer 1

The domain name extracted from a message's RFC5322 From field is the primary identifier in the DMARC mechanism. This will cause the DKIM validation for DMARC to fail as the document was not signed by coinbase.com.

Either sign it as your domain or remove the DKIM validation from your DMARC record.