1

I have attached a DMARC report for my domain (this one sent from google). It correctly shows only mail sent from my mta (amazon ses) as passing the DMARC compliance. And the DKIM portion also shows only mail from my MTA as passing. Great.

However, this report shows a few hosts passing SPF authentication, and most failing SPF authentication. Why/how is this possible? I don't even have SPF records set in my DNS? Am I misinterpreting what this report means? Can someone explain what is happening?

enter image description here

TSG
  • 1,634
  • 6
  • 29
  • 51
  • If you don't have SPF records every host will pass. That's how SPF works. – Gerald Schneider Jun 04 '19 at 13:49
  • But MOST of the hosts in the report show SPF FAIL. Why would a few pass? – TSG Jun 04 '19 at 13:50
  • Most probably because the domains they use don't have SPF records set. – Gerald Schneider Jun 04 '19 at 13:51
  • Could you elaborate? All senders on the list are forging my domain name as the sender I assume (that's how they got on the DMARC report). – TSG Jun 04 '19 at 13:53
  • Please read the linked question, it's answers also answer yours. – Gerald Schneider Jun 04 '19 at 13:53
  • I read that link in detail and I understand the basics of SPF. I don't see how it explains the mixed pass & fails in the report. (Could you spell it out in an answer? I'm sure I'm not the only one what can't figure this out) – TSG Jun 04 '19 at 13:58
  • @GeraldSchneider perhaps I misunderstood your message, but neither in terms of SPF, nor in terms of DMARC will a lack of an SPF record result in a PASS for the check. The result should be "none". I think what you try to say is that, based on SPF, no host will be blocked and recipients will need to rely on different technologies. – Reinto Jun 04 '19 at 14:45
  • @TSG DMARC protects the receiving party from unauthorized use of the email domain in the FROM header of an email. Authorization can either be arranged via SPF or DKIM, or preferably both. Even so, an email can both pass SPF and DKIM checks and still fail DMARC on lack of alignment. SPF is checked on the bounce address domain, not the FROM header. DKIM is checked on the dkim.d= value, not the FROM header. For DMARC to pass, you need domain alignment on at least one of those technologies. – Reinto Jun 04 '19 at 14:51
  • @Rein - can you explain why some would pass, some would fail, when there is no SPF TXT entry for this domain? – TSG Jun 05 '19 at 02:40
  • Hi, Please use mxtoolbox or similar website and do a spf lookout. I suspect a bad zone config somewhere not replicated, if a faulty DNS provider failed its zone update. (Error like that happened to me in the past, a ISP was MX target, when we removed the MX to set it somewhere else, all mail coming from that ISP was still triing to send to that old MX.) – yagmoth555 Jun 05 '19 at 03:09
  • @TSG DMARC data is for the domain used in the `FROM` header. The domain used in the SPF check can be completely different and can pass. That pass is added to the DMARC report. If the domain in the FROM header does not align with the domain in the SPF check, it will fail DMARC on alignment. Looking at the raw DMARC data (XML file), you'll see the domain on which the SPF check is performed. – Reinto Jun 05 '19 at 12:50
  • 1
    @GeraldSchneider this is a question about DMARC if you click the link you claim this to be a duplicate of and Ctrl+F for "DMARC" you will get 0 hits. The question posted by TSG is why the SPF results in the DMARC report are inconsistent an article about "what is SPF" is useless. The issue surrounds how DMARC is evaluated. – omniomi Jun 25 '19 at 15:19
  • @GeraldSchneider I have to strongly agree with omniomi that this question is about DMARC and how SPF relates to DMARC. In the light of newer developments in email authentication the linked article is incomplete and provides outdated advice on how one may setup email authentication policies. Please remove the 'Marked as Duplicate' tag and the link to the answer, plus your comments on how SPF works, since they are incorrect (SPF checks will not pass in absence of an SPF record). – Reinto Jul 03 '19 at 10:01

2 Answers2

3

It's important to understand which addresses the various authentication mechanisms are checked against. An email message has at minimum two from addresses--the envelope from (RFC 5321) and the header from (RFC 5322.) SPF is checked against the envelope from address while DMARC is checked against the header from. If we use some examples:

ENV From: whatever@yourdomain.com
HEADER From: whatever@yourdomain.com

Your lack of an SPF record is an automatic pass, and the domains are the same so DMARC SPF alignment will pass.

ENV From: whatever@differentdomain.com
HEADER From: whatever@yourdomain.com

SPF is checked against differentdomain.com and may or may not pass depending on their rules, and DMARC is checked against your domain but SPF alignment will fail because the domains are different.

DMARC requires that SPF alignment OR DKIM alignment passes. For SPF alignment to pass the ENV From domain but be the same as the header from domain and SPF must pass. For DKIM alignment to pass the domain specified in DKIM's d= attribute must match the domain in the header from and the DKIM signature must be valid.

If your address is in the header you get the DMARC reports but if it wasn't your domain in the envelope you may see SPF results for whatever domain was. In either case if it was correctly DKIM signed it will still pass DMARC because remember, only one or the other alignment check needs to pass.

omniomi
  • 123
  • 8
2

An example from your DMARC report:

Host 216.207.245.17 (reverse lookup tells us lists.digium.com) sends 147 emails on behalf of your email domain. These emails PASS an SPF check, but, since the domain used for the SPF check does not align with your email domain, it fails in regards to DMARC.

Especially email forwarders / mailing lists behave this way. Before distributing the email to the members of the list, the bounce address (aka smtp.mailfrom / return-path / envelope from address) is re-written, so that Non-Delivery Reports (NDRs) are sent back to the mailing list provider and not to the original sender.

While the FROM address is shown to the recipient in the email client, the envelope from address is hidden, but IS used to check the SPF on. This is why DMARC is so important to protect against phishing, because SPF (or DKIM) alone does not authenticate the FROM address the recipient sees.

The way mailing lists typically behave will fail DMARC authentication on SPF check, because the alignment between envelope from domain and FROM domain is removed. Also, sometimes DKIM signed fields such as subject are edited, which breaks the original DKIM signature. This is exactly why ARC (Authenticated Received Chain) is being created, as an extension to DMARC. Unfortunately, ARC is still in Draft stage.

So if we look back at our example, the mailing list provider re-writes the envelope from address to something@lists.digium.com and the receiving mail server checks the domain lists.digium.com for an SPF record, which it finds: "v=spf1 a mx ip4:216.207.245.0/26 ~all\". SPF passes (216.207.245.17 is part of range 216.207.245.0/26), DMARC fails. Depending on your DMARC policy action and receiving server configuration, the email may be marked as SPAM, quarantined, rejected or delivered to the Inbox.

Reinto
  • 649
  • 4
  • 9
  • "The way mailing lists typically behave will break DMARC" I think you meant "will break SPF alignment". If the signed fragments aren't modified by the mailing list, the DKIM will be fine, so DMARC will pass. – kubanczyk Jun 05 '19 at 15:44
  • 1
    @kubanczyk You are absolutely right. It will break SPF alignment and it will sometimes break DKIM signatures, when signed headers are rewritten. I'll edit my answer to be more specific. – Reinto Jun 05 '19 at 15:54