Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism by which the owner of a domain uses specially formed DNS records to express domain-level policies and preferences for email validation, disposition, and reporting.
Questions tagged [dmarc]
205 questions
41
votes
5 answers
Find DKIM and DMARC Records?
Is there a method to find a domain's DKIM and DMARC records using dig or nslookup?
I have attempted to do the following:
dig somedomain.org any
returns many records, but not the known DKIM and DMARC text records.
nslookup -type=txt…
Evil Genius
- 521
- 1
- 4
- 5
17
votes
2 answers
DNS MX/SPF/DMARC records without actuall emails on domain
I created website for someone, but also someone (I guess some SEO guy) told this person that I made big mistake because there are missing DNS records on domain (mx, SPF, dmarc). Now I need to "fix" my error.
Thing is, of course these records are…
norr
- 273
- 1
- 5
16
votes
2 answers
What does rua and ruf stand for in the DMARC spec?
I've searched all over Google and unable to find why these reports are named "rua" and "ruf".
They don't seem random, but also don't appear to easily translates in an obvious way to their definitions.
From the DMARC RFC:
rua: Addresses to which…
cavalcade
- 311
- 1
- 3
- 6
13
votes
1 answer
DKIM: Can I use a RSA key larger than 2048bit, i.e. 4096?
I wonder if I can simply use a 4096bit RSA key for DKIM (in DNS TXT Record).
Are there any downsides (neglecting computational effort)?
Maybe there are mail servers which can't handle a key this large?
Also: Is there any big mail provider which…
Florian Schneider
- 293
- 3
- 8
13
votes
2 answers
What does dis=NONE mean in an email's Authentication-Results header?
The following is from an email I received recently:
Authentication-Results: mx.google.com;
spf=neutral;
dkim=pass header.i=@yahoo.com;
dmarc=pass (p=REJECT dis=NONE) header.from=yahoo.com
I've been reading about SPF, DKIM, and…
Alex Henrie
- 234
- 1
- 2
- 7
11
votes
4 answers
Why is my opendmarc failing pretty much everything that comes through?
I have this domain for which I set up SPF, DKIM, and DMARC stuff. Let's pretend the domain is example.com which has the following entries in its DNS zone:
example.com. 600 IN MX 1 mail.morpheu5.net.
example.com. …
Morpheu5
- 259
- 4
- 18
10
votes
2 answers
DMARC and DKIM alignment with multiple DKIM signatures
If an email contains multiple DKIM signatures as it's forwarded, how does DMARC process the DKIM alignment check?
Does ANY passing DKIM signature d= parameter have to match Header From?
or
Does the first (or last) DKIM signature d= parameter have to…
Novox
- 504
- 1
- 9
- 25
10
votes
1 answer
Why don't my domain's messages to a google group get their headers rewritten so DMARC can pass?
Whenever my domain sends a message to a google group on another domain the DMARC alignment fails. This is true for all my approved senders, even using Gmail in my domain. It seems to be because the Return-Path (Envelope From) header is replaced by…
lordbyron
- 331
- 2
- 9
10
votes
3 answers
Why is my email failing Gmail's DKIM test?
I have a message that was rejected by Gmail, I don't know why. It passes SPF. We aren't using DKIM. Do I need to set up DKIM?
I am in control of "example.com". Our mail server is "server.example.com" (hosted at bluehost)
Our SPF record is
v=spf1 +a…
nielsbot
- 223
- 1
- 3
- 9
9
votes
3 answers
DMARC Alignment: Enforce messages pass BOTH SPF and DKIM
Is there a way to enforce DMARC to fail/reject mail that doesn't pass BOTH DKIM and SPF?
We have been narrowing the number that are failing, but there are some domains in our aggregate (rua) report that are passing just DKIM and we would rather that…
Noah Hall-Potvin
- 91
- 1
- 2
9
votes
3 answers
Why does DMARC operate on the From-address, and not the envelope sender (Return-Path)?
Several emails sent from my webserver to a Gmail address, where the From: address is websitevisitor@gmail.com, have been marked as spam by Gmail. The From: field is populated from form data, and corresponds to the visitor's actual email address,…
EelkeSpaak
- 193
- 1
- 4
9
votes
4 answers
SPF + DKIM + DMARC with Gmail account and external mail server
I,m using gmail with own domain (Google Apps) for my project. Now I want to add external mail server for sending notifications for users. Gmail doesn't give private keys for DKIM and if keys will be generated on external mail server, in case strict…
cptBuggy
- 91
- 1
- 1
- 3
8
votes
1 answer
DMARC test failed but we didn't find any obvious reason why; DMARC not passing while SPF and DKIM do
About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am helpless right now and don't really understand…
LinuxSecurityFreak
- 487
- 6
- 19
8
votes
1 answer
Not receiving any RUF DMARC reports (forensic) but are getting RUA (agg reports)
For about 5 days now, i have been successfully receiving several DMARC RUA (aggregate reports) reports from a few ISPs, however i have yet to receive a single RUF message/forensic email, even though the RUA reports do show a few failures. As i…
James Gaul
- 83
- 1
- 3
8
votes
2 answers
DMARC failed, but SPF pass
If i sent a mail from my website (on a private server) to autoreply@dmarctest.org, i have this report :
x.x.x.x
1
none
…
griotteau
- 241
- 1
- 5
- 9