Link to home
Start Free TrialLog in
Avatar of Dan Carp
Dan Carp

asked on

DMARC Fail when SPF & DKIM Pass

We have recently switched our DMARC policy from "none" to "quarantine".  We utilize MailChimp and have followed their instructions to add their server information to our SPF and DKIM records.  When we send out our test campaign, both SPF and DKIM pass but DMARC is failing.  As I understand it, this is because SPF and DKIM are passing based on the "mandrillapp.com" domain, but this doesn't match the domain in the From field (ourdomain.com).  Redacted message header from a test mailer is at the bottom.

Firstly, am I understanding the issue correctly?  Secondly, does somebody have a recommendation on what adjustment I can make so that these messages are not flagged?

It appears from this article (http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail) that I can take steps to obscure the from email address so that it is not suggesting that the message originates from myaddress@ourdomain.com.  Ideally, however we would prefer this to remain so that recipients can click reply directly.

Thanks in advance!

Header:
Received: from mail187-199.suw11.mandrillapp.com (mail187-199.suw11.mandrillapp.com [198.2.187.199])
	by dmarctest.org (8.14.9/8.14.9/dmarctest.org.mc-1.2) with ESMTP id u7VEDZkZ002452
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <autoreply@dmarctest.org>; Wed, 31 Aug 2016 07:13:38 -0700 (PDT)
	(envelope-from bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com)
DMARC-Filter: OpenDMARC Filter v1.3.0 dmarctest.org u7VEDZkZ002452
Authentication-Results: dmarctest.org/u7VEDZkZ002452; dmarc=fail header.from=ourdomain.com
Authentication-Results: dmarctest.org; spf=pass smtp.mailfrom=bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com
DKIM-Filter: OpenDKIM Filter v2.9.2 dmarctest.org u7VEDZkZ002452
Authentication-Results: dmarctest.org; dkim=pass reason="1024-bit key"
	header.d=mail187-199.suw11.mandrillapp.com header.i=myaddress@mail187-199.suw11.mandrillapp.com
	header.b=ZScFeS87; dkim-adsp=none; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail187-199.suw11.mandrillapp.com;
 h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type; i=myaddress@mail187-199.suw11.mandrillapp.com;
 bh=xxxxx=;
 b=xxxxx=
Received: from pmta01.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail187-199.suw11.mandrillapp.com id horj14174i4g for <autoreply@dmarctest.org>; Wed, 31 Aug 2016 14:13:34 +0000 (envelope-from <bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; 
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1472652813; h=From : 
 Sender : Subject : To : Message-Id : Date : MIME-Version : Content-Type 
 : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; 
 bh=xxxxx=; 
 b=xxxxx=
From: <myaddress@ourdomain.com>
Sender: <myaddress@mail187-199.suw11.mandrillapp.com>
Subject: MailChimp Template Test - "Mailer Subject"
X-Accounttype: ff
X-Auto-Response-Suppress: OOF, AutoReply
Auto-Submitted: auto-generated
To: <autoreply@dmarctest.org>
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=9656357.xxxxx
X-Mandrill-User: md_9656357
Message-ID: <9656357.20160831141333.57c6e60de94781.11430196@mail187-199.suw11.mandrillapp.com>
Date: Wed, 31 Aug 2016 14:13:33 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-Ps-Vnv22FE1bQqTaBly1nw"

Open in new window

SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan

Otherwise if the Adding of your "from" as per last shared into the SPF and DKIM is not possible, you may have to consider those which can like Yahoo and AOL, though it is not representative to your original "From" domain
For best results, we recommend you switch to a domain you own. However, if you use Yahoo or AOL Mail and can’t register your own domain, we can help you avoid delivery problems. We’ll automatically add send.mailchimpapp.com or mail.mailchimpapp.com to your Yahoo or AOL address to help ensure delivery. This process is currently only available for Yahoo and AOL addresses.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Great to hear that. Thanks for sharing.
You still have to publish a DMARC policy for that domain, which you're not right now
https://dmarcian.com/dmarc-inspector/mandrillapp.com
-rich
Avatar of Dan Carp

ASKER

Solved issue with further testing
Sorry for any confusion, Rich - I was using ourdomain.com as a placeholder.  We do have a published DMARC policy for our actual domain.  Thanks for checking!