Odd DMARC reject, how come? Also on auto forwarders

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,218
Location
Maastricht
I tested my SPF, DKIM and DMARC records on various testing sites and they look good
I've looked it up and a notification of a script update of Softaculous is send to a customor of ours.

What I can see from the mail log, it looks send as root@server23.otherdomain.nl instead of a mailadres I entered, but that should not be an issue because I added both MX and the server ip in the SPF record.

I masked ip and domein in the example below.
Code:
v=spf1 a mx ip4:95.123.123.123 ~all
My Dmarc record which worked without issues for several years:
Code:
v=DMARC1; p=reject; rua=mailto:xxxxxxxujgbo@dmarc.postmarkapp.com, mailto:dmarc-spf@mydomain.nl; ruf=mailto:fore
nsic@mydomain.nl; pct=100"
Now this happened on the notification mail:
Code:
Reporting-MTA: dns; server23.otherdomain.nl

Action: failed
Final-Recipient: rfc822;customer@xs4all.nl
Status: 5.0.0
Remote-MTA: dns; mx3.xs4all.nl
Diagnostic-Code: smtp; 550 5.7.1 DMARC failure for domain mydomain.nl, policy reject

It looks like an internal forward took place. Mails are send from my domain, but originally created by root.
This is from the exim log:
Code:
1iKGFo-0008IS-E4 => noreply <noreply@mydomain.nl> F=<root@server23.otherdomain.nl> R=virtual_user T=dovecot_lmtp_udp
which says completd, and then gets rejected:

Code:
CV=yes: SMTP error from remote mail server after end of data: 550 5.7.1 DMARC failure for domain mydomain.nl, policy reject
So I don't understand this, because the hostname from root is another one, but that hostname is the MX address so rDNS record is present. I did not have this failing before.


Also, autoforwarders will generate reports like this. Sometimes half fail/half pass but somethings fail like this.
Code:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>1876321465xxxxxxxx</report_id>
    <date_range>
      <begin>1571011200</begin>
      <end>1571097599</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>mydomain.nl</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>95.123.123.123</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>reject</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.nl</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>server23.otherdomain.nl</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>
So the "evaluate" policy is already both fail, while the domain (at the bottom) is a domain which resolves to the correct ip address mentioned in the SPF.

What can I do to fix this, do I really have to specify this hostname in my spf too? I Never had to do this before, so I'm wondering what's happening.

Any help is appreciated.
 
Top