7
1
Some ( but not all ) of the emails from our service are flagged as phishing by gmail and spam by hotmail.
The emails being marked as phishing are sent from an application deployed on EC2 VMs which use amazon SES to do the actual sending. The application sends other emails which do not get flagged (we have 4 kind of emails sent by the app at the moment ).
We also have a user using an MS exchange account hosted on OVH sending emails from this domain which is why the spf records include an ovh entry.
We have configured the following records on the domain :
_amazonses.mydomain.com. 1799 IN TXT "JiAZ9E5gIc7VbPfMI4rYSBGZJeTe3lTF+eigtVUF1fg="
_amazonses.mydomain.com. 1799 IN TXT "vkSOtQqrtz2frIPg+6SeU7CmCenkTPjjvZdCQe/u0Qk="
_dmarc.mydomain.com. 299 IN TXT "v=DMARC1\;p=none\;rua=mailto:postmaster@mydomain.com"
2anucjune6cx5dfjwtpg5w7xi5bivkdi._domainkey.mydomain.com. 1799 IN CNAME 2anucjune6cx5dfjwtpg5w7xi5bivkdi.dkim.amazonses.com.
5m7pppm63mxlxz3w3al3juxlgwb4j67m._domainkey.mydomain.com. 1799 IN CNAME 5m7pppm63mxlxz3w3al3juxlgwb4j67m.dkim.amazonses.com.
7tpgaubzvve5ekkq3pyu7rhmrxhgif5f._domainkey.mydomain.com. 1799 IN CNAME 7tpgaubzvve5ekkq3pyu7rhmrxhgif5f.dkim.amazonses.com.
mydomain.com. 299 IN TXT "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"
mydomain.com. 299 IN SPF "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"
Here are the DMARC reports we get from google :
<record>
<row>
<source_ip>54.240.6.219</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>eu-west-1.amazonses.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
and here is one from hotmail.com
<record>
<row>
<source_ip>54.240.6.212</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>eu-west-1.amazonses.com</domain>
<result>pass</result>
</spf>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
</auth_results>
As you can see the SPF entry for policy_evaluated has a fail
status, however the auth_results list spf as being pass
.
What can explain the incoherent statuses ?
Can this incoherence be the source of our mails being flagged as phishing/spam ?
1Why DMARC is SPF evaluating with the amazonses.com domain, I don't know. --- This is not DMARC but SPF which uses the domain from the SMTP MAIL FROM command. The email was sent from a amazonses.com MTA which put its domain into the SMTP MAIL FROM command. SPF passes for this domain and the sending MTA IP address. After this test DMARC checks the alignment of the domain amazonses.com with the domain in the mail From: header (mydomain.com). The domains are different so this test fails. – pabouk – 2018-09-25T08:28:39.847
To add to @pabouk's comment, here's the docs for setting SMTP MAIL FROM: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html
– Evan – 2019-03-11T15:26:29.133if I understand this correctly it is not possible to have a DMARC aligned pass result for SPF when delegating to a 3rd party provider unless the provider had a way to make a reverse lookup of the IP actually doing the sending resolve to your domain... I don't think this is possible when using amazon ses since it uses a pool of IP addresses and rotates them quickly between various domains – Jean – 2014-02-27T13:34:24.173
That's what I infer as well, but I would have expected this to be a fairly common use case that DMARC should account for. However, I also would have expected the SPF domain for auth_results to be openoox.com in your case, since the SPF record is actually pulled from openoox.com, not amazonses. – lid – 2014-02-27T15:22:54.090