5

My DMARC DNS record looks like this: (domain name is redacted)

_dmarc.domain.com TXT "v=DMARC1; p=none; sp=none; rua=mailto:dmarc@domain.com; ruf=mailto:dmarc@domain.com; rf=afrf; pct=100; ri=86400"

Now, I receive aggregate DMARC and forensic DMARC reports from Gmail, Comcast, Yahoo, Emailsrv, etc.

But I'm not receiving any reports from Aol, Hotmail, Msn, Outlook, Live.

Any ideas why? (I'm certain that email IS being sent to addresses on those ESPs, and both SPF and DKIM pass)

Any suggestion to make DNS record format more ESP-inclusive?

Thanks in advance.

agbb
  • 103
  • 6
  • I wonder if there is an issue with having same mailto for both rua and ruf? or maybe not having declared values for adkim, aspf or fo options? – agbb Dec 15 '17 at 11:30
  • I added adkim, aspf and fo options to the record now, I'll see if there are any improvements, record value now is: "v=DMARC1; p=none; sp=none; rua=mailto:dmarc@domain.com; ruf=mailto:dmarc@domain.com; rf=afrf; pct=100; ri=86400; adkim=r; aspf=r; fo=1;" – agbb Dec 15 '17 at 13:39
  • Found AOL and Fastmail reports being kept in an in-between SPAM folder (dmarc@domain.com is an alias for a mailbox which then FWDs to my inbox). So AOL is good. Still no clues about Hotmail and friends. – agbb Dec 15 '17 at 13:41
  • 5
    There may be a problem on Microsoft's end. We stopped getting Microsoft's DMARC reports abruptly on Oct 31 and haven't seen one since. My best guess is that it's related to the major changes they've been making to their email systems over the past few months (see https://wordtothewise.com/2017/09/microsoft-changes/ and https://wordtothewise.com/2017/12/microsoft-mxs-changed/ ). – Sequoyah Dec 18 '17 at 21:59
  • @Sequoyah omg they could have pulled this off so much smoothly... DMARC is important! – agbb Dec 19 '17 at 22:27

1 Answers1

2

Your DMARC record looks great (assuming the obfuscated "domain.com" isn't hiding a typo, but since it works for some I'd guess not) and I've had issues in the past with particular mail hosts not sending DMARC reports.

But do remember that external mail agents aren't required to send DMARC reports to you. Nothing says they must use DMARC or report on their DMARC evaluations. Only that if they do report, they must use the specified addresses. It'd be nice if they did send reports as that helps you [us] see where mail & spam problems are coming from, and fix them. But that isn't a guarantee.

Looking at my logs I don't see HoTMaiL, MSN, or Live.com reports for a while. But I do see Outlook.com and domains that I know are O365 hosted. Are you still having problems? If so, you may be seeing the result of should and may versus shall and must in the specifications.

Ruscal
  • 1,223
  • 6
  • 13
  • I'm not sure I understand your last sentence. What do you mean by should vs shall and may vs must ? – agbb Jan 08 '18 at 16:51
  • 1
    A mail agent "should" or "may" send a DMARC report to you (according to the RFC). Which means "they can, if they want to." If the specification for DMARC had instead used "shall" or "must" in the language, that would mean "they are required to send the DMARC reports, whether they want to or not." Because the "permissive but not required" language is used, it means that not everyone will send you DMARC reports. It is a common "gottcha" with specifications like this. Most of us do what we "should", but that doesn't mean everyone will – Ruscal Jan 08 '18 at 18:10
  • right, so my issue is actually that RFC spec SHOULD have been more strict! (https://tools.ietf.org/html/rfc7489) – agbb Jan 08 '18 at 21:51