DMARC Email SPF policy_evaluated & auth_result have inconsistent status

7

1

Some ( but not all ) of the emails from our service are flagged as phishing by gmail and spam by hotmail.

The emails being marked as phishing are sent from an application deployed on EC2 VMs which use amazon SES to do the actual sending. The application sends other emails which do not get flagged (we have 4 kind of emails sent by the app at the moment ).

We also have a user using an MS exchange account hosted on OVH sending emails from this domain which is why the spf records include an ovh entry.

We have configured the following records on the domain :

_amazonses.mydomain.com.    1799    IN  TXT "JiAZ9E5gIc7VbPfMI4rYSBGZJeTe3lTF+eigtVUF1fg="
_amazonses.mydomain.com.    1799    IN  TXT "vkSOtQqrtz2frIPg+6SeU7CmCenkTPjjvZdCQe/u0Qk="
_dmarc.mydomain.com.    299 IN  TXT "v=DMARC1\;p=none\;rua=mailto:postmaster@mydomain.com"
2anucjune6cx5dfjwtpg5w7xi5bivkdi._domainkey.mydomain.com. 1799 IN CNAME 2anucjune6cx5dfjwtpg5w7xi5bivkdi.dkim.amazonses.com.
5m7pppm63mxlxz3w3al3juxlgwb4j67m._domainkey.mydomain.com. 1799 IN CNAME 5m7pppm63mxlxz3w3al3juxlgwb4j67m.dkim.amazonses.com.
7tpgaubzvve5ekkq3pyu7rhmrxhgif5f._domainkey.mydomain.com. 1799 IN CNAME 7tpgaubzvve5ekkq3pyu7rhmrxhgif5f.dkim.amazonses.com.
mydomain.com.       299 IN  TXT "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"
mydomain.com.       299 IN  SPF "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"

Here are the DMARC reports we get from google :

  <record>
    <row>
      <source_ip>54.240.6.219</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>eu-west-1.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

and here is one from hotmail.com

<record>
  <row>
    <source_ip>54.240.6.212</source_ip>
    <count>1</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>mydomain.com</header_from>
  </identifiers>
  <auth_results>
    <spf>
      <domain>eu-west-1.amazonses.com</domain>
      <result>pass</result>
    </spf>
    <dkim>
      <domain>mydomain.com</domain>
      <result>pass</result>
    </dkim>
  </auth_results>

As you can see the SPF entry for policy_evaluated has a fail status, however the auth_results list spf as being pass. What can explain the incoherent statuses ? Can this incoherence be the source of our mails being flagged as phishing/spam ?

Jean

Posted 2014-02-12T16:10:36.953

Reputation: 393

Answers

5

This appears to be due to DMARC domain alignment issues. As indicated by the report, the domain for the SPF authentication result was "eu-west-1.amazonses.com", which is non-aligned with the header_from of "mydomain.com". Why DMARC is SPF evaluating with the amazonses.com domain, I don't know. I have the same issue and have not figure out how to resolve it. From the DMARC draft:

   Example 3.  This record indicates a single message matching this set
   of data points.  The DMARC disposition for this message was "reject"
   based on DMARC aligned results for SPF and DKIM of "fail" and the
   domain's reject policy.  There was no DKIM signature on this message,
   as in Example 1.  The SPF authentication result was "pass" with a
   MAILFROM domain of "classifiedads.com".  The SPF domain is not
   aligned with the header From domain, causing the DMARC aligned SPF
   result to be "fail".

   <record>
      <row>
         <source_ip>65.61.105.5</source_ip>
         <count>1</count>
         <policy_evaluated>
            <disposition>reject</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
            </policy_evaluated>
         </row>
      <identifiers>
         <header_from>facebook.com</header_from>
         </identifiers>
      <auth_results>
         <dkim>
            <domain></domain>
            <result>none</result>
            </dkim>
         <spf>
            <domain>classifiedads.com</domain>
            <result>pass</result>
            </spf>
         </auth_results>
      </record>

lid

Posted 2014-02-12T16:10:36.953

Reputation: 859

1Why DMARC is SPF evaluating with the amazonses.com domain, I don't know. --- This is not DMARC but SPF which uses the domain from the SMTP MAIL FROM command. The email was sent from a amazonses.com MTA which put its domain into the SMTP MAIL FROM command. SPF passes for this domain and the sending MTA IP address. After this test DMARC checks the alignment of the domain amazonses.com with the domain in the mail From: header (mydomain.com). The domains are different so this test fails. – pabouk – 2018-09-25T08:28:39.847

To add to @pabouk's comment, here's the docs for setting SMTP MAIL FROM: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html

– Evan – 2019-03-11T15:26:29.133

if I understand this correctly it is not possible to have a DMARC aligned pass result for SPF when delegating to a 3rd party provider unless the provider had a way to make a reverse lookup of the IP actually doing the sending resolve to your domain... I don't think this is possible when using amazon ses since it uses a pool of IP addresses and rotates them quickly between various domains – Jean – 2014-02-27T13:34:24.173

That's what I infer as well, but I would have expected this to be a fairly common use case that DMARC should account for. However, I also would have expected the SPF domain for auth_results to be openoox.com in your case, since the SPF record is actually pulled from openoox.com, not amazonses. – lid – 2014-02-27T15:22:54.090

5

This is not likely to be the cause of your messages being flagged as phishing/spam. Your <policy_evaluated> elements show that you are passing DKIM and thus you are passing DMARC as a whole.

the SPF entry for policy_evaluated has a fail status, however the auth_results list spf as being pass. What can explain the incoherent statuses ?

The auth_results do not take identifier alignment into account while the overall DMARC evaluation does, which is why the auth_results for SPF can be pass and the overall SPF results can be fail.

Why is SPF evaluated against the amazonses.com domain rather than yours though? Unlike DKIM, SPF is not validating the domain name in a From header (which would be your domain). It validates the IP address of the SMTP sender. In this case that is an amazon IP address, which correctly passes SPF.

References:

https://tools.ietf.org/html/rfc7489

http://sesblog.amazon.com/post/Tx3IREZBQXXL8O8/SPF-and-Amazon-SES

Ed Rowe

Posted 2014-02-12T16:10:36.953

Reputation: 51

Asked: 2014-02-12T16:10:36.953

Viewed: 5 047 times

Active: 2016-02-10T18:40:23.227