This is the DMARC record we have set
v=DMARC1; p=reject; rua=mailto:[redacted]@coinbase.com; adkim=r; aspf=s
So we are rejecting any not match with SPF strictly, and DKIM is relaxed.
Here is the SPF record:
v=spf1 mx ptr include:_spf.google.com include:amazonses.com include:servers.mcsv.net ip4:216.146.46.11/24 ip4:54.240.0.0/16 -all
servers.mcsv.net is the relevant one here, this is for MailChimp.
Now, when mailchimp sends emails, here are the relevant headers (taken from before we had DMARC set to reject):
Delivered-To: [redacted]@gmail.com
Return-Path: <bounce-mc.us5_10399111.473393-[redacted][email protected]>
Received: from mail43.atl11.rsgsv.net (mail43.atl11.rsgsv.net. [205.201.133.43])
by mx.google.com with ESMTP id j28si35440183yha.171.2014.05.21.09.07.49
for <[redacted]@gmail.com>;
Wed, 21 May 2014 09:07:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce-mc.us5_10399111.473393-[redacted][email protected] designates 205.201.133.43 as permitted sender) client-ip=205.201.133.43;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce-mc.us5_10399111.473393-[redacted][email protected] designates 205.201.133.43 as permitted sender) smtp.mail=bounce-mc.us5_10399111.473393-[redacted][email protected];
dkim=pass [email protected];
dmarc=fail (p=NONE dis=NONE) header.from=coinbase.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=mail43.atl11.rsgsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; i=[redacted][email protected];
bh=o5A5eXnTv4l6rsLeAnZJnMWMM68=;
b=TuFkaiUuroZ81dqLE6inBqApDru17Je2eBBRhPSwcLjFqSnQYasdQeoKdSseroRiNsVwR2l+VMgo
AjDCgEcXlmKQ1OZwgFJRoy/YKcV2aWfAaNttoLg/Ia1mqRVI+KOA6CIHE+1sbjc8vGdbkxHpnhkw
vyKFBZn8BdHmLyBUr88=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=k1; d=gmail.mcsv.net;
h=Subject:From:Reply-To:To:Date:Message-ID:X-Feedback-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version;
bh=o5A5eXnTv4l6rsLeAnZJnMWMM68=;
b=pUJSVxxUhdCyKquMzC3XoV8/vdntYc9D9PPEi8+kGHPzyX9JYz2abxclEKparO5titfvKxda7K6R
m65UTHrkFeMh+lQw7KruA0YBI4ixq07xVUiQkyZRTTuV8oW0R1a/gwWqr4zCnrHbgBmtSg1lKRWF
Zo4frwnJ67K8gPd/Qlk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=k1; d=mail43.atl11.rsgsv.net;
b=WU6GQW9PExrQou81SYai+uiOzWU9FjHdzXPh2NA+g0aKjcDx08ujAcfkOjLRtD6ceTEwdS4GNeyc
3iwdIXMjwYN1qDzo4Ug3yeKCTjidqcjdxJcRN1pBJ6Dq+bsGkcNiwlh7cFlmTSQEeIobmRCO3FEA
mEJ3ZB59fs0X9VhAiiw=;
Received: from (127.0.0.1) by mail43.atl11.rsgsv.net id hfj7la1lgi03 for <[redacted]@gmail.com>; Wed, 21 May 2014 16:07:09 +0000 (envelope-from <bounce-mc.us5_10399111.473393-[redacted][email protected]>)
Subject: =?utf-8?Q?Posts=20from=20The=20Coinbase=20Blog=20for=2005=2F21=2F2014?=
From: =?utf-8?Q?The=20Coinbase=20Blog?= <[redacted]@coinbase.com>
You can see DMARC failed. But I don't understand why. The SPF record passes. DKIM does also (although we have that requirement relaxed here).
Maybe I'm misunderstanding something about DMARC, but it seems like this should work.
Thank you for the help!
The domain name extracted from a message's RFC5322 From field is the primary identifier in the DMARC mechanism. This will cause the DKIM validation for DMARC to fail as the document was not signed by coinbase.com.
Either sign it as your domain or remove the DKIM validation from your DMARC record.