DMARC reports from some mail servers report failures #176
Comments
|
hi @rdelaage, thanks for the report.
this indeed looks a bit (but only a little!) surprising:
"DKIM": [
{
"Domain": "mail.delaage.fr",
"Selector": "",
"Result": "fail",
"HumanResult": ""
},
{
"Domain": "delaage.fr",
"Selector": "2024b",
"Result": "pass",
"HumanResult": ""
}
that is, i'm surprised it the first object mentions "mail.delaage.fr" and the second has "delaage.fr".
when mox adds dkim signatures to an outgoing message, it looks up a configured domain for the "message from" address: first the full domain, then removing a subdomain, and so on, until a configured domain is found. the dkim config for that domain is applied. but it should always be a single domain. and unless you have mail.delaage.fr configured as well, it should be delaage.fr.
i'm not surprised about the "Result": "fail". the dmarc reports from google that i'm getting contain this:
"DKIM": [
{
"Domain": "ueber.net",
"Selector": "",
"Result": "fail",
"HumanResult": ""
},
{
"Domain": "ueber.net",
"Selector": "2023b",
"Result": "pass",
"HumanResult": ""
}
],
it too has 1 "fail" result. that's expected: mox signs messages with both an ed25519 dkim signature and an rsa dkim signature. but google doesn't implement ed25519. many other mail systems don't either, only a minority does at the moment. it results in various forms of a "dkim fail" in dmarc reports (sometimes they mention the selector, sometimes they have additional text). anyway, it's not actually a problem: a dkim-signature that isn't recognized is not used in evaluations, i.e. doesn't have a negative impact (which is the only reasonable behaviour, for forward compatibility). there is still 1 dkim pass, so all is good!
overall, your dmarc report indicates messages that pass the dmarc check.
at first glance, these reports often make you think something is wrong: you'll see "reject" in "PolicyPublished", but that only indicates that the requested policy for non-dmarc-passing messages is to reject them (which is what we want!). it doesn't say anything about the result of dmarc evaluations.
an individual "fail" also doesn't have to be bad: the dmarc check will pass when at least one of spf and dkim checks have an aligned pass. for situations like forwarding it can be normal to have one of them fail.
what really matters is the final dmarc evaluation result, which is this part:
"PolicyEvaluated": {
"Disposition": "none",
"none" is the good news: the message wasn't quarantined or rejected.
i think it's a bit unfortunate about dmarc reports that this final result doesn't stand out (at least for me) among all the other mentions of "reject" and "fail".
anyway, the question is still why google has seen messages with a dkim-signature for mail.delaage.fr.
do/did you have it explicitly configured as domain in mox by any chance?
|
|
No, |
|
Same here. On the host domain the DMARC reports from google.com show A row with my server SourceIP shows DKIM domain The result is Enterprise OutlookFrom "Enterprise Outlook" DMARC reports to the host domain show with Header and EnvelopeFrom "AuthResults": {
"DKIM": [
{
"Domain": "",
"Selector": "",
"Result": "fail",
"HumanResult": ""
},
{
"Domain": "example.com",
"Selector": "2024b",
"Result": "fail",
"HumanResult": ""
}
],
"SPF": [
{
"Domain": "mail.example.com",
"Scope": "mfrom",
"Result": "pass"
}
]
}The behavior isn't consistent, in some reports the DKIM on Amazon SESAnd AMAZON-SES is fully happy (DKIM and SPF pass), Envelope/Header From are eMail domainsThe email domains are all green (Counters for DKIM or SPF fails are zero). The HeaderFrom is ObservationIn the admin UI on the page with where as on the page with The current setup uses the |
…output/pages before, the suggested records would show "v=spf1 mx ~all", while the dnscheck page would suggest "v=spf1 ip4:... ip6:... -all". the two places now show the same record: explicitly listing the configured ip's (so the common case of a valid message is fast and doesn't require lookups of mx hosts and their addresses), but still including "mx" (may prevent issues while migrating to new ips in the future and doesn't hurt for legit messages), and "~all" (for compatibility with some old systems that don't look at dkim/dmarc when they evaluate spf and reach "-all") based on #176 created by rdelaage, with record mismatch spotted by RobSlgm, thanks!
|
@RobSlgm thanks for reporting that spf1 mismatch. the last commit should now cause the same record to be suggested. always including the configured ip's and keeping "mx" (including the ip prevents further dns lookups for legimate messages which is good for performance, keeping the mx records adds some resilience to future ip changes), and using "~all" (as explained on the dnsrecords page). i've also received some dmarc reports from google/gmail with a "Domain" set to the hostname. i suspect it is an artefact of them not recognizing the ed25519 algorithm. the overall dkim result is still pass, and the dmarc result is positive too. i'll close this issue now. feel free to reopen if there's more information or more work to be done. thanks for reporting and providing details! |
It seems to be DKIM related failures. The dkim reports are sent from
postmaster@<maildomain>but there is no published DKIM public key in the DNS records generated by mox resulting in a DKIM signature validation fail.Here is a copy of a DMARC report sent by google
{ "ID": 7, "Domain": "delaage.fr", "FromDomain": "google.com", "Version": "", "ReportMetadata": { "OrgName": "google.com", "Email": "noreply-dmarc-support@google.com", "ExtraContactInfo": "https://support.google.com/a/answer/2466580", "ReportID": "11688145333743308772", "DateRange": { "Begin": 1718150400, "End": 1718236799 }, "Errors": null }, "PolicyPublished": { "Domain": "delaage.fr", "ADKIM": "r", "ASPF": "r", "Policy": "reject", "SubdomainPolicy": "reject", "Percentage": 100, "ReportingOptions": "" }, "Records": [ { "Row": { "SourceIP": "2001:1600:13:101::cd7", "Count": 2, "PolicyEvaluated": { "Disposition": "none", "DKIM": "pass", "SPF": "pass", "Reasons": null } }, "Identifiers": { "EnvelopeTo": "", "EnvelopeFrom": "", "HeaderFrom": "mail.delaage.fr" }, "AuthResults": { "DKIM": [ { "Domain": "mail.delaage.fr", "Selector": "", "Result": "fail", "HumanResult": "" }, { "Domain": "delaage.fr", "Selector": "2024b", "Result": "pass", "HumanResult": "" } ], "SPF": [ { "Domain": "mail.delaage.fr", "Scope": "", "Result": "pass" } ] } } ] }The text was updated successfully, but these errors were encountered: