About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am helpless right now and don't really understand what is happening.
I get this message:
The DMARC test failed but we didn't find any obvious reason why. If you recently modified your DNS, please wait a few hours and then test again.
DMARC DNS entry found for the domain _dmarc.vlastimilburian.cz:
"v=DMARC1; p=reject; adkim=s; aspf=s"
Verification details:
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=vlastimilburian.cz [email protected] header.b=CefZgBpZ; dkim-atps=neutral
mail-tester.com; dmarc=none header.from=vlastimilburian.cz
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=vlastimilburian.cz [email protected] header.b=CefZgBpZ; dkim-atps=neutral
From Domain: vlastimilburian.cz
DKIM Domain: vlastimilburian.cz
I have a ProtonMail premium plan with one custom domain and a single email address. My domain DNS is protected with DNSSEC.
I have DKIM (DomainKeys Identified Mail - wiki) also.
My SPF record is a hard-fail:
v=spf1 include:_spf.protonmail.ch mx -all
Strange thing is, both SPF, and DKIM are passing:
I did not modify my DNS in 3 days, is there any other possible reason for DMARC to fail?
Update 2019-May-27
I got a reply from the Mail-Tester.com's staff:
Thank you for sharing this link. I'm afraid I quite still don't understand the answer over there... Basically, it says everything is OK and DMARC should pass... isn't it? If so, I'm afraid it does not help much... we use the famous OpenDMARC library to analyze DMARC and the "we didn't find any obvious reason why" is generated when OpenDMARC says your email does not pass DMARC while our own test does not find anything wrong.
Could this possibly be an error in OpenDMARC, should I report it?
I tried the test now, and it passed.
Additionally, I sent a message to my Gmail free-mail with PASS results:
As we can read from the results:
From
header.d=
.This means you have a passing DMARC alignment from both, while only one is required. Based on that we can blame
mail-tester.com
for analysing it incorrectly.