Home / server / Questions / 971035
Accepted
Yevgeniy Afanasyev
Asked: 2019-06-12 20:05:32 +0800 CST

dmarc. Why do I receive failed SPF or DKIM authentication reports for forwarders?

  • 772

I set _dmarc to see my email authentication reports (in case it fails).

like that 

"v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected]"

And I receive these reports form Google.

a report I receive my emails are good, because they are comming from AWS SES and all configured fine, it comes like that 

<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>

BUT sometimes I get records like this

<record>
  <row>
    <source_ip>209.85.220.41</source_ip>
    <count>1</count>
    <policy_evaluated>
    <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>mydomain.com</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>mydomain.com</domain>
      <result>pass</result>
      <selector>xxx</selector>
    </dkim>
    <dkim>
      <domain>amazonses.com</domain>
      <result>pass</result>
      <selector>gggxxx</selector>
    </dkim>
    <spf>
      <domain>gmail.com</domain>
      <result>pass</result>
    </spf>
  </auth_results>
</record>

And I understand that someone has forwarded my email but without overwriting headers and this someone was gmail.

Why gmail doesn't overwrite headers and why should I care about forwarding at all? They only suppose to send me emails when it is my problem, right?

Am I confusing something?

email

1 Answers

  1. Best Answer

    Testing a few assumptions here:

    Why gmail doesn't overwrite headers...?

    Server-side / automated forwards are usually behaving this way: keeping the original sender in the header.from and changing the envelope from (bounce-address) to the service forwarding the email. When an aligned DKIM signature is present and as long as signed fields are not altered, DKIM will successfully authenticate the message and DMARC will pass. If no DKIM signature is found, DMARC will fail.

    They only suppose to send me emails when it is my problem, right?

    No. DMARC policy records containing a rua tag are requesting receiving servers to periodically send an aggregate report of all email received that was sent on behalf of the domain in the header.from field. The receiving server should not make assumptions (whose fault it is) on what is the reason for a specific check to fail (in this case misalignment of domains used in header.from and envelope from).

    • 1