DMARC failures (ipv6)

M

MopeyGecko

Verified User
Joined
Apr 6, 2022
Messages
29
I'm getting DMARC failure reports from google as follows

Code: 
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>18377262427000729987</report_id>
    <date_range>
      <begin>1680220800</begin>
      <end>1680307199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>mydomain.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>reject</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>{ipv6}</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>reject</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>host.mydomain.com</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>{ipv6}</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>x</selector>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Can someone please help point me to where I should start checking for the cause of this failure? It seems specific to the server hostname host.mydomain.com rather than the top level my domain.com.

I suspect it may be a problem with ip6 config on the server?

I tried following the guide at https://www.vpsbasics.com/cp/how-to-enable-and-assign-ipv6-addresses-in-directadmin/ but after I add the ip6 address provided by the datacenter my main domain becomes inaccessible almost immediately.
 
you have masked your domain so nothing to check, you have rDNS , AAAA record in place ?
 
The domain is co22.uk and host.co22.uk

As soon as I add AAAA records for IP6 2001:19f0:7402:10d:5400:04ff:fe55:21dd web access at co22.uk is no longer available as a secure connection can't be established.

Mythical beasts tests return the following but I have removed the AAAA records again so the site is accessible for now.


1680349822803.png

I'll be wanting to add ip6 addresses and GLUE for the name servers so I'll need to work out how to add extra ip6 addresses other than the 1 assigned by Vultr but one step at a time. rDNS is in place from 2001:19f0:7402:10d:5400:04ff:fe55:21dd to host.co22.uk

Thanks for looking.
 
Last edited:
Your nameservers dont have ipv6 enabled also
Did you link ip4 to ipv6 ?
 
Maybe it was a Google failure?

In my case Google send an message about Adsense to my GMail address. So Gmail sending to Gmail, also ipv6 and it was delivered into my Gmail spam folder. :)
This was march 10th.

So it might be they are having issues.

Today I got a dmarc report about some mail from me being quarantained, while all things (dmarc and spf) are correct. Very odd. This was on a server using only ipv4.
 
I have added the AAAA records again with a low TTL to try again.

1680360050782.png

I have also added the ip6 glue for ns1.co22.uk (not ns2 yet as I need to work out how to add additional IPv6 addresses first)

I'm now up to 8/11 on Mythical beasts

1680360157046.png


The secure web server IPv6 connectivity issue is the most pressing right now that I can't work out.
 
Secure web server IPv6 connectivity
Trying to get https://www.co22.uk from 2001:19f0:7402:10d:5400:4ff:fe55:21dd...
500 Can't connect to www.co22.uk:443 (hostname verification failed)
Trying to get https://www.co22.uk from 78.141.234.188...
301 Moved Permanently

Maybe your virtual host is not written well, try
Code: 
cd /usr/local/directadmin/custombuild
./build rewrite_confs
 
hmm I don't use www typically, it's set to auto redirect to co22.uk in the DA settings which probably explains the 301 redirect. At the moment everything on https://co22.uk seems to be functioning normally.
 
Ok , did you rewrite ?.
ipv4 works yes but you have an ipv6 https issue here, tried to regenerate the certificate after the changes you made ?
 
I have rewritten confs now. Also regenerated wildcard letsencrypt certificate.

Interestingly host.co22.uk passes that test

I have not linked The IP6 address to IP4 address, is that required?
 
I always link ipv4 to ipv6, try wil not harm but I suspect that there are some errors with generating certificate for that domain
 
I've linked the IP and that doesn't seem to have made any difference. I have also regenerated the certificate and it says generated successfully each time.
 
I think I'm out of ideas. I've removed the AAAA record for co22.uk again to get back online while I do a bit more research
 
Aha! assigning the IP to the admin reseller AND domain seems to have fixed everything. Either that or it was adjusting the certificate to exclude domain pointers. I don't have enough letsencrypt requests left for the wildcard combination of domains so will try that again when the limit refreshes next week.
 
MopeyGecko said:
Aha! assigning the IP to the admin reseller AND domain seems to have fixed everything
Click to expand...
Yeah that is standard thing , I had assumed that was done already.
Nevertheless glad you found your solution
 
Last edited:
hmmm it seems I still have some DMARC issues with this.

<?xml version="1.0"?>
<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<version>1.0</version>
<report_metadata>
<org_name>Enterprise Outlook</org_name>
<email>[email protected]</email>
<report_id>xxx</report_id>
<date_range>
<begin>1683504000</begin>
<end>1683590400</end>
</date_range>
</report_metadata>
<policy_published>
<domain>co22.uk</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
<fo>0</fo>
</policy_published>
<record>
<row>
<source_ip>78.141.234.188</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<envelope_to>xxx</envelope_to>
<envelope_from>&lt;&gt;</envelope_from>
<header_from>host.co22.uk</header_from>
</identifiers>
<auth_results>
<spf>
<domain>host.co22.uk</domain>
<scope>helo</scope>
<result>none</result>
</spf>
</auth_results>
</record>
</feedback>
Click to expand...

It looks like it's failing from the server hostname (host.co22.uk) in Outlook reports.

Mails sent from the primary domain (co22.uk) are passing.

What do I need to do to include the hostname in allowed senders?
 
MopeyGecko said:
Mails sent from the primary domain (co22.uk) are passing.
Click to expand...
That's not what I'm seeing here in your example. It's failing from the ip, not the hostname.

The hostname has result "none", the ip has the fail but I don't know as to why because the ip is in your SPF record.
 
You must log in or register to reply here.
Back
Top