0

If I update my DMARC policy to quarantine or reject, do email receivers check both the SPF and DKIM verification checks or just one? Or is it implementation dependent, i.e. email receivers can implement in varying ways?

I have been monitoring DMARC reports for a few weeks, and certain email service providers have a 100% DKIM pass rate but a 0% SPF pass rate even though I followed the sender's CNAME configurations as instructed. I am wondering if this is fine and DMARC will pass the verification step as DKIM has been successful.

n00b
  • 103
  • 3
  • "Some providers" as in *all* mail sent to those is reported as failing SPF? Check whether your SPF record has a syntax problem or exceeds the query limits! Most providers only report a bunch of forwarded mail, the bulk of your outgoing mail should be reported as both SPF and DKIM verifying & aligning. – anx Jun 01 '21 at 04:38
  • Also, check the Return-Path address used in those emails, because that domain is the one used for the SPF check. If it doesn't align with your FROM domain, it will also fail. With CNAME setups, you usually have a subdomain used for the Return-Path address (as you shouldn't setup a CNAME at the root of the domain). If your DMARC policy uses an `ASPF` tag with value `s`, it will fail on alignment as well. – Reinto Jun 01 '21 at 07:08
  • Yes, all mail sent by Hubspot had a 0% SPF pass rate. Google has a 89% SPF pass rate also, but some of those were because google calendar were forwarding emails and so it's expected. Going back to my original question though, and considering emails sent from Google, would the emails that were forwarded and not passing the SPF check but passing the DKIM check end up being quarantined/rejected? – n00b Jun 01 '21 at 14:45

1 Answers1

1

DMARC requires EITHER DKIM or SPF to pass AND be in alignment with the visible from domain to pass DMARC. Yes, ideally, both SPF and DKIM should pass as some things break DKIM while other things break SPF, but you can consistently pass DMARC with only DKIM or SPF passing AND in alignment.

So if DKIM has passed consistently AND is in alignment then that's passing DMARC. Search for the d= domain in the headers. Is it the visible from domain or, at least, a subdomain of the visible from domain?

Neil Anuskiewicz
  • 461
  • 1
  • 3
  • 15