8

If i sent a mail from my website (on a private server) to autoreply@dmarctest.org, i have this report :

 <record>
  <row>
   <source_ip>x.x.x.x</source_ip>
   <count>1</count>
   <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
   </policy_evaluated>
  </row>
  <identifiers>
   <header_from>mydomain.com</header_from>
  </identifiers>
  <auth_results>
   <spf>
    <domain>mydomain.com</domain>
    <result>pass</result>
   </spf>
   <dkim>
    <domain>mydomain.com</domain>
    <result>pass</result>
   </dkim>
  </auth_results>
 </record>

The identifiers/header_from AND auth_results/spf/domain is both mydomain.com, my sender (and return path) is user@mydomain.com

The SPF test alone is ok, but the dmarc (policy_evaluated/spf) fail, i don't understand why ...

My DNS record (SPF/DMARC):

"v=spf1 a mx include:mx.ovh.com -all"

"v=DMARC1\; p=reject\; sp=none\; rua=mailto:postmaster@mydomain.com\; rf=afrf\; pct=100\; ri=86400"
griotteau
  • 241
  • 1
  • 5
  • 9

2 Answers2

5

The reason for the DMARC fail on SPF policy (<policy_evaluated><spf>fail) despite the SPF check passing (<auth_results><spf><result>pass) is that your SMTP "mailFrom" (envelope MAIL From or RFC 5321.MailFrom) & your header "From" fields are out of alignment. I can't be sure from the extract you posted, but it's the likely answer.

e.g. if your mail system sets the envelope MAIL From to <account@mail.provider.tld>, but your header From says the reply address is <account@mydomain.tld> the domains are out of alignment & the DMARC evaluation of SPF will fail, even though you have included mail.provider.tld in your SPF record.

These articles may help:

As Henry said, you only require one of the two tests (SPF or DKIM) to be in alignment for DMARC to pass.

ryansin
  • 161
  • 1
  • 7
Dean Ransevycz
  • 151
  • 1
  • 4
  • Does the alignment test also fail, if the domain is the same but the local-part is different? – comfreak May 18 '17 at 11:45
  • The [link](https://www.unlocktheinbox.com/emailidentifieralignments/) provided by @henry is a good explanation of identifier alignment. In summary: your DMARC policies `adkim` (DKIM alignment) & `aspf` (SPF alignment) dictate whether these should be FQDN matches (_strict_ mode), or just domain matches (_relaxed_ mode). Relaxed mode is the default for both. (e.g. a sending host of _mailer.domain.tld_ with a DKIM or SPF domain of _domain.tld_ would pass relaxed alignment, but fail strict alignment.) – Dean Ransevycz May 22 '17 at 00:11
  • I checked the link and it seems like the local-part is not relevant but I still get DMARC failure reports despite having relaxed mode published and a strict mode setup. So it should work perfectly. The only thing that is not matching is the envelope-from and the from header in some emails. That's why I asked, if that might be the reason for the failure reports. – comfreak May 22 '17 at 00:15
  • I'd need to see your published records & the examples from your reports to comment further. – Dean Ransevycz May 22 '17 at 00:23
1

I don't know much about that testing location, I use mailtest@unlocktheinbox.com as my main go to email tester. That aside, DMARC can fail, if your SPF is not aligned this is called the ASPF test. DMARC requires SPF, DKIM or Both. Since you have SPF working, the only thing that comes to mind will be that possibly your ASPF Test is failing, or the tester has a possible bug. I did test my email with that test and it did indicate that I passed DMARC.

Henry
  • 910
  • 1
  • 5
  • 17
  • Does the alignment test also fail, if the domain is the same but the local-part is different? – comfreak May 18 '17 at 11:45
  • 2
    This article explains what you are looking for: https://www.unlocktheinbox.com/emailidentifieralignments/ – Henry May 19 '17 at 00:30