Dan Carp
asked on
DMARC Fail when SPF & DKIM Pass
We have recently switched our DMARC policy from "none" to "quarantine". We utilize MailChimp and have followed their instructions to add their server information to our SPF and DKIM records. When we send out our test campaign, both SPF and DKIM pass but DMARC is failing. As I understand it, this is because SPF and DKIM are passing based on the "mandrillapp.com" domain, but this doesn't match the domain in the From field (ourdomain.com). Redacted message header from a test mailer is at the bottom.
Firstly, am I understanding the issue correctly? Secondly, does somebody have a recommendation on what adjustment I can make so that these messages are not flagged?
It appears from this article (http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail) that I can take steps to obscure the from email address so that it is not suggesting that the message originates from myaddress@ourdomain.com. Ideally, however we would prefer this to remain so that recipients can click reply directly.
Thanks in advance!
Header:
Firstly, am I understanding the issue correctly? Secondly, does somebody have a recommendation on what adjustment I can make so that these messages are not flagged?
It appears from this article (http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail) that I can take steps to obscure the from email address so that it is not suggesting that the message originates from myaddress@ourdomain.com. Ideally, however we would prefer this to remain so that recipients can click reply directly.
Thanks in advance!
Header:
Received: from mail187-199.suw11.mandrillapp.com (mail187-199.suw11.mandrillapp.com [198.2.187.199])
by dmarctest.org (8.14.9/8.14.9/dmarctest.org.mc-1.2) with ESMTP id u7VEDZkZ002452
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
for <autoreply@dmarctest.org>; Wed, 31 Aug 2016 07:13:38 -0700 (PDT)
(envelope-from bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com)
DMARC-Filter: OpenDMARC Filter v1.3.0 dmarctest.org u7VEDZkZ002452
Authentication-Results: dmarctest.org/u7VEDZkZ002452; dmarc=fail header.from=ourdomain.com
Authentication-Results: dmarctest.org; spf=pass smtp.mailfrom=bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com
DKIM-Filter: OpenDKIM Filter v2.9.2 dmarctest.org u7VEDZkZ002452
Authentication-Results: dmarctest.org; dkim=pass reason="1024-bit key"
header.d=mail187-199.suw11.mandrillapp.com header.i=myaddress@mail187-199.suw11.mandrillapp.com
header.b=ZScFeS87; dkim-adsp=none; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail187-199.suw11.mandrillapp.com;
h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type; i=myaddress@mail187-199.suw11.mandrillapp.com;
bh=xxxxx=;
b=xxxxx=
Received: from pmta01.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail187-199.suw11.mandrillapp.com id horj14174i4g for <autoreply@dmarctest.org>; Wed, 31 Aug 2016 14:13:34 +0000 (envelope-from <bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1472652813; h=From :
Sender : Subject : To : Message-Id : Date : MIME-Version : Content-Type
: From : Subject : Date : X-Mandrill-User : List-Unsubscribe;
bh=xxxxx=;
b=xxxxx=
From: <myaddress@ourdomain.com>
Sender: <myaddress@mail187-199.suw11.mandrillapp.com>
Subject: MailChimp Template Test - "Mailer Subject"
X-Accounttype: ff
X-Auto-Response-Suppress: OOF, AutoReply
Auto-Submitted: auto-generated
To: <autoreply@dmarctest.org>
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=9656357.xxxxx
X-Mandrill-User: md_9656357
Message-ID: <9656357.20160831141333.57c6e60de94781.11430196@mail187-199.suw11.mandrillapp.com>
Date: Wed, 31 Aug 2016 14:13:33 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-Ps-Vnv22FE1bQqTaBly1nw"
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Otherwise if the Adding of your "from" as per last shared into the SPF and DKIM is not possible, you may have to consider those which can like Yahoo and AOL, though it is not representative to your original "From" domain
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Great to hear that. Thanks for sharing.
You still have to publish a DMARC policy for that domain, which you're not right now
https://dmarcian.com/dmarc-inspector/mandrillapp.com
-rich
https://dmarcian.com/dmarc-inspector/mandrillapp.com
-rich
ASKER
Solved issue with further testing
ASKER
Sorry for any confusion, Rich - I was using ourdomain.com as a placeholder. We do have a published DMARC policy for our actual domain. Thanks for checking!