Two different dkim result records in DMARC report from google

Question

I get DMARC report from google, and the dkim check appears twice, one with pass, the other with fail status. This same report includes another record from the same IP with all pass status. Any idea what would cause this, or what should I fix?

Here are the relevant entries from the report, after sanitizing the domain name and IPs. Notice the second record has two different dkim entries for the same domain:

  <record>
    <row>
      <source_ip>222.222.222.222</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  ..
  <record>
    <row>
      <source_ip>222.222.222.222</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </dkim>
      <dkim>
        <domain>mydomain.com</domain>
        <result>fail</result>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>

I've got exactly the same question. The dmarcian XML to human analyzer is not very informative either. — Stijn Hoop, Oct 23 '15 at 11:12

score 2 · Accepted Answer · answered Oct 23 '15 at 16:38

2

The message was likely signed twice, this is not uncommon. Double-signed messages happen the most when a message is forwarded. Is there any chance the message was forwarded somewhere within your domain?

As you can see, the single aligned DKIM pass was enough for DMARC-DKIM, so Google evaluated the double signature correctly. Some setups - Cisco Ironport in particular - do not handle double-signatures correctly, but the big ISPs like Google have no problem with it.

answered Oct 23 '15 at 16:38

cmeid

386
1
3

Nice, that was indeed the case for me after thorough analysis of message flow. Is there any authoritative documentation about doubly-signed messages and the impact on DMARC? I couldn't find it in the spec, then again it's pretty deep stuff for a side-line email admin... – Stijn Hoop Oct 23 '15 at 18:29
Yes, I have a couple aliases that will forward mail to google from an address in my domain. It could be this. Is this a problem then? in other words, can I ask 'quarantine' now, or should I configure postfix not to double sign? – yhager Oct 23 '15 at 20:30

Two different dkim result records in DMARC report from google

1 Answers1