DMARC fail when send from/via hostname.

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
13,779
Location
Maastricht
It seems I'm having issues with DMARC and Gmail, while my server is configured perfectly for this to work.
So this is how it looks in Gmail at dmarcian:
1683638550782.png
The wildcard name is not my domain, but the domain from the servers hostname. However, this is about mail I send from my domain.

Now *exactly* the same but then from Outlook, also mail send from my domain:

1683638645489.png

So Gmail says "wrong" and Microsoft says "great!".

I've found 1 report from google which was stated as being pass. However, this had the source ip of my ISP in there.
Code: 
<source_ip>212.xx.xx.xx</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>

which could be possible because I send my business mail from home, but using the smtp of my own server. But just to be sure I added some ISP ip's in my SPF record. However, my SPF record -also- contains my MX and MX ip and even the hostname of the server and still I get these Google fails.
So how come now my ISP's source ip is used, it's got a pass, while I don't even use the SMTP of my ISP for my company domain (is not possible anymore either).

I just also seen that this mail was send from mydomain.nl and not from server.hostingdomain.nl. Maybe that was the reason of passing.

This is my SPF:
Code: 
"v=spf1 a mx ip4:95.xx.xx.xx/32 ip4:95.xx.xx.xx/32 ip4:144.xx.xx.xx/32 include:server.hostingdomain.nl include:smtp.spf.myisp.nl -all"

The first 3 ip's are this server my domain is residing on and the other 2 are from other servers which might send mail from my domain.
The hostingdomain.nl is different than my companydomain.

The correct ip gets a pass from Outlook, but a fail from Google:
Code: 
source_ip>95.xx.xx.xx</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>

Now the only difference with Outlook is the last part, seems to Google they are send from the hostname (maybe via DA or Softaculous) and Outlook is probably direct mail send by myself.

From google:
Code: 
<policy_published>
    <domain>mycompany.nl</domain>
    <adkim>r</adkim>
    <aspf>s</aspf>
    <p>quarantine</p>
    <sp>reject</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>95.XX.XX.XX</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mycompany.nl</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>server.hostingdomain.nl</domain>
        <result>pass</result>
        <selector>x</selector>
      </dkim>
      <spf>
        <domain>server.hostingdomain.nl</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

So at the end for the hostname server.hostingdomain.nl it will get a pass but the evaluated policy is both fail.

This is one from outlook:

Code: 
<policy_published>
    <domain>mycompany.nl</domain>
    <adkim>r</adkim>
    <aspf>s</aspf>
    <p>quarantine</p>
    <sp>reject</sp>
    <pct>100</pct>
    <fo>0</fo>
  </policy_published>
  <record>
    <row>
      <source_ip>95.XX.XX.XX</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <envelope_to>outlook.com</envelope_to>
      <envelope_from>mycompany.nl</envelope_from>
      <header_from>mycompany.nl</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mycompany.nl</domain>
        <selector>x</selector>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>mycompany.nl</domain>
        <scope>mfrom</scope>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

What I can see from this, is that mails send via the hostname are failed, at least by Google.

But that is odd, because I have the server's hostname in my SPF record so at least the SPF should not say "fail".
Hostname is a seperate DNS entry with SPF record:
"v=spf1 a mx ip4:95.xx.xx.xx ~all"

What's going wrong here? How can I fix this?
Is this the issue caused by the hostname not really effectively signing with DKIM?
Maybe @mxroute?

Edit: The hostingdomain.nl has this SPF:
v=spf1 a mx ip4:95.xx.xx.xx -all
That shouldn't matter should it? While the server name is not in there and setup as seperate record, right?
 
I wish I could help with that one but sometimes DMARC reports make my head explode. This is quite frankly why I often tell my customers "If you truly want to receive these reports feel free, but I have no intention of reading them back to you when you ask me what they mean" ?

In theory they're quite simple, in practice I took a whole day to think on the variables of your post here and neither of us can make sense of it.
 
mxroute said:
I took a whole day to think on the variables of your post here and neither of us can make sense of it.
Click to expand...
Well at least thank you *very* much for the effort you have taken to help me. I really appreciate it.

The only thing I could find later on (forgot to mention it) was that the hostname in my spf record should not have been an "include" but an "a" record.

So I changed that and now I'm still waiting until the hostname sends a message to Google. :)

mxroute said:
but sometimes DMARC reports make my head explode.
Click to expand...
We can shaken hands on that, loL. Normally I don't fuzz a lot with these either. But when Gmail is starting to refuse some of the mail, I just get too curious as to why.

Luckily there are only "pass" reports for my domain itself so I'm happy with that.

Again, thank you very much for having a look at it, I know it's a bunch of info.
 
As an alternative you can also run your own report system:

www.techsneeze.com

DMARC Report

In an effort to be a good “net-citizen”, I decided to configure my domains with DMARC record. It was great, because within 24hrs, I started to receive reports from Google/Gmail with DKI…
www.techsneeze.com www.techsneeze.com

Been using it for years, works fine for my purposes. Take a little bit to setup the collection script, needs some extra perl modules.
 
Thank you for the tip @eva2000 but dmarcdigest is too expensive for us and it does not tell us more than we know at this moment. Also we normally never need it. First time we encounter this for some reason. For the domain itself it's all perfectly.

It's only when mail is send from the hostname that it does not align for whatever reason while everything is setup as should be.

@cjd Thank you but for the 1 or 2 cases that I ever needed it until now, maybe then it's easier to run it through the online reporter system which also explains what's going on.

In fact it's just a text file, it's not that difficult to read, it's just that it does not say as to -why- it gives a fail when send from the hostname.
So I think it's caused by Softaculous which is sending mail from my domain via the hostname or something.

I have to wait until the next report to see if my fix by adding the hostname with an a record in spf worked.
 
You must log in or register to reply here.
Back
Top