I need someone with DMARC working do an Email Deliverability test at MXToolBox for me

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
I need someone with DMARC working, to do an Email Deliverability test at MXTools using their domain to see if it works for them.

Does the MXToolbox Email Deliverability test work for you?
It doesn't seem to for me.
- If I do a SPF lookup it shows perfect.
- If I do a DKIM lookup it shows perfect.
- If I do a DMARC lookup it shows perfect.
- If I test the E-Mail server everything comes up perfect.
- If I select E-Mail deliverability I receive:
Problem DMARC Compliant
-->Problem SPF Alignment
-->Ok SPF Authenticated
-->Ok DKIM Alignment
-->Problem DKIM Authenticated
* Actually, I cannot see that what this portrays is even a possible situation with DMARC.

If I analyze what they show I sent them as a header, it would make sense that it would fail. In fact they wouldn't even get the E-Mail. They show:
- header From: reads: me@domain.com as it should
- d=domain in the DKIM-Signature reads: domain.com as it should
- (envelope-from is completely missing as is everything else other than received:
mx1tools.mxtoolbox.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 24 Nov 2018 16:19:15 -0600.

At any other destination, it shows:
return-path: <me@domain.com> - Used by SPF
envelope-to: him@hisdomain.com
Delivery-date: Sat, 24 Nov 2018 16:19:15 -0600
received: from mail by server.domain.com with spam-scanned (Exim 4.91)
(envelope-from me@domain.com) - Required for SPF
id 1gQfik-000I8n-JU
for him@hisdomain.com; Sat, 24 Nov 2018 16:19:15 -0600

DMARC
SPF:

a. Authentication: For SPF to be authenticated, the (envelope-from domain, is used to lookup the DNS SPF record for that domain, and the IP address of the email server communicating with the destination must have one of the IPs in authorized to deliver E-Mail for that domain listed in the SPF record.
b. Alignment: DMARC requires the (envelope-from email address match the header From: email address.

DKIM:
a. Authentication: The destination E-Mail server sees the E-Mail has a DKIM-Signature. In the clear, the signature record contains the version of DKIM used (v=), the encryption method used(a=), the type of signature(q=), relaxed or strict(c=), the name of the sending domain(d=), and the DKIM selector(s=). Using the domain in the d=, it fetches the public encyption key from the DKIM DNS text record, and decrypts the DKIM-Signature, which contains a hash for the combination of fields that the sending E-Mail server created. Then the destination E-Mail server performs its own MD5 hash on the same fields in the same order listed in the DKIM-Signature of the received E-Mail. The hash must calculate to the same number to be successful, indicating that none of the hashed fields have changed between sending and receiving.
b. Alignment: d= domain of the DKIM-Signature must align with the domain in the header From: (must exactly match for strict alignment, or must be a sub-domain for relaxed alignment). The only thing we know at this point is that the validated DKIM-Signature's domain in d= did in fact write the DKIM-Signature, and that nothing has changed. DMARC then checks if the E-Mail's header From: E-Mail domain matches the validated DKIM-Signature's d= domain, to prove that the validated DKIM-Signature is for the header From:'s domain.

Summary: The common alignment denominator between SPF and DKIM is the header From: E-Mail address in the received E-Mail. For SPF, the E-Mail address in (envelope-from must match it. For DKIM, the domain located in d= of validated DKIM-Signature must match it. If an E-Mail is forwarded, SPF will fail because the forwarding E-Mail server no longer matches and IP address in the SPF record of the (envelope-from's server, unless they happen to be on the same E-Mail server. However, the DKIM will still succeed because it uses the domain listed in the DKIM-Signature d= where it finds the public key to verify the signature, and the E-Mail itself contains the header From: to compare to.

Here is my problem: At MXToolsBox, when I test E-Mail Deliverability, I am looking at results that shows SPF authenticates (using envelope-from address's domain, to lookup the SPF DNS record and the IP address it finds matches the E-Mail server delivering the E-Mail), but SPF is not in alignment (envelope-from address does not match header From: address, which can easily be proven via plain text that it in fact does match),
and
the VALIDATED DKIM-Signature d= domain is in alignment with the header From: domain, but the DKIM-Signature does not authenticate, which is impossible for two reasons.

1. I can prove easily from plain text in the E-Mail that SPF is in alignment because I can see the (envelope-from E-Mail address and header From: are the same.

2. DMARC does not check for DKIM alignment between DKIM-Signature's d= domain and the header From: until AFTER the DKIM-Signature has been authenticated to ensure the d= value it is working with is real. However, they show it alignment, but not having a DKIM-Signature authenticated d= domain to check with to determine if it is aligned. Moreover, SpamAssassin says: DKIM_VALID, which AFAIK means it has been validated cryptographically using the public key in the d=domain's DNS, and determined it unchanged, which means I can trust the d= domain that is visible in the DKIM-Signature record that MXToolBox says I cannot, and shows SPF_PASS, which contains the fields in plain text that I can verify contains the exact E-Mail address that is in (envelope-from, header From:, and the IP of the server sending the E-Mail, matches the SPF for the domain perfectly.

Hopefully this conveys why I'm interested to see the kind of results someone else gets with a known-good DMARC deployment before I pull out any more hair follicles on something that appears to me to be a test that doesn't work.

Thanks!
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
Oke I'll have a look for you.

Looks like I'm having the same issue as you're having:
Code:
    Problem Icon DMARC Compliant
        Problem Icon SPF Alignment
        Ok Icon SPF Authenticated
        Ok Icon DKIM Alignment
        Problem Icon DKIM Authenticated
And in my case also everything is fine. Strange, because I just also got Google reports which say SPF and DMARC and Dmarc auth are all pass.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,221
Location
Maastricht
In my case there was a little red cross with the first hop, so from my home ip to my server, on the right side a red cross appeared with the "blacklist" field.
This is because my home ISP has dynamic ip ranges which like most home ISP's (at least in our country) are all listed by spamhaus.
Maybe that is causing the "mis-alignment" for spf and Dmarc in my case. Not sure, I send you the link to my results per pm.

Edit: Nope that's not the cause. I excluded this by sending mail directly from my server via webmail, so no home ip visible now. Still the same result for SPF alignment and DKIM Auth.
Maybe it's a bug with Mxtoolbox? As my Google and Microsoft reports don't complaint about this.
Code:
-<auth_results>
  -<dkim>
     <domain>mydomain.nl</domain>
<result>pass</result>
<selector>x</selector>
And postmarkapp is not complaining about dis-alignment either on the free weekly reports. So looks like an mxtoolbox issue.
 
Last edited:

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
MxToolBox does not work for testing Email Deliverability. The header information they show as having been received, couldn't even deliver the E-Mail, let alone all of the missing envelope information necessary to test DMARC. Moreover, it is technically not possible to show something that has not been authenticated, to be in alignment, when the entity needed to check the alignment with, isn't available until after it has been authenticated. MxToolBox Email Deliverability wasted hours of my time trying to figure out what was wrong, checking the E-Mails over and over again for what I was missing, not being able to find anything wrong, and forcing me to rationalize a truth table that only proved that the results they were displaying was absolutely impossible. Then I still couldn't believe it until you confirmed that you received identical results as I did from your known-good DMARC headers. Also, if you use their Analyze Header, and paste in a known-good E-Mail header, it will actually show even worse than the messed up header you get when you use Email Deliverability.

Thanks TONS!!! for your help! It was a HUGE help. Now I can confidently add it to a real site.
 
Top