DMARC Report: Sometimes DKIM Fails for Mail Server IP

Question

What does it mean when some DMARC records indicate a failure for the correct server:

  <record>
    <row>
      <source_ip>1.2.3.4</source_ip>
      <count>8</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mail.example.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>mail.example.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>

In the same report there are records where it passes:

 <record>
    <row>
      <source_ip>1.2.3.4</source_ip>
      <count>57</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mail.example.copm</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mail.example.copm</domain>
        <result>pass</result>
        <selector>GUID</selector>
      </dkim>
      <spf>
        <domain>mail.example.copm</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>

Would you please help me understand what this implies?

score 3 · Accepted Answer · answered Oct 21 '19 at 05:45

3

That implies, that 8 reported mails from same source server failed both DKIM and SPF check and 57 failed only SPF check.
So not all mails are DKIM signed (or not correctly or not sufficiently "relaxed" but the repor implies they do not have a syntactical correct signature as no selector is mentioned for the failed, left byside the fact that the implementation of reports is not very strict so this does not mean too much, probably) and there is not SPF that allows mails from mail.example.com to be sent by 1.2.3.4.

answered Oct 21 '19 at 05:45

EOhm

795
2
7

Some records past got both DKIM and SPF using the same ‘source_ip’ and ‘header_from’ values, which are valid. Do clients cause this problem? – Louis Waweru Oct 21 '19 at 07:55
DKIM is mail by mail and not bound to any source IP. So the mail server 1.2.3 4 does not enforce DKIM on each mail correctly. Possibly it's also pointing to temporary DNS problems because both depend on DNS (but a well behaving recipient my should reject mails with temporary failure if it gets server error querting DNS). – EOhm Oct 21 '19 at 08:16
Is it Your server that send the reports or are You certain that the server verified SPF on header from of other mails with same server setup and without changed DNS ? And that they really arrive there with same header from? This cannot be the case if there were no DNS issues. – EOhm Oct 21 '19 at 08:21

DMARC Report: Sometimes DKIM Fails for Mail Server IP

1 Answers1