3

I recently implemented DMARC in monitoring mode, in order to begin preparing all the domains I manage. Here is the aggregate report for yesterday. I don't understand why DKIM would evaluate to false under policy_evaluated when DKIM is marked pass under auth_results. This domain (mydomain.io) sent one message yesterday (my own server is the SMTP server) to another domain I manage (myotherdomain.net) whose MX is Google Apps.

<?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>noreply-dmarc-support@google.com</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>xxx711</report_id> <date_range> <begin>1469923200</begin> <end>1470009599</end> </date_range> </report_metadata> <policy_published> <domain>my.domain.io</domain> <adkim>r</adkim> <aspf>r</aspf> <p>none</p> <sp>none</sp> <pct>100</pct> </policy_published> <record> <row> <source_ip>23.92.28.xx</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>pass</spf> </policy_evaluated> </row> <identifiers> <header_from>mydomain.io</header_from> </identifiers> <auth_results> <dkim> <domain>myotherdomain.net</domain> <result>pass</result> </dkim> <spf> <domain>mydomain.io</domain> <result>pass</result> </spf> </auth_results> </record> </feedback>

Marco
  • 164
  • 7
samh
  • 213
  • 4
  • 11
  • Did you post the right report ? That has an SPF pass in auth_results and policy_evaluated. It would likely be more helpful to you if you got an answer for the actual report that failed. – Marco Aug 02 '16 at 09:08
  • Yes. Under auth_results I see DKIM and SPF both passed. Above that, in the policy_evaluated node, what does DKIM fail indicate? – samh Aug 02 '16 at 11:11

1 Answers1

2

It is failing because the domain isn't aligned for DKIM.

The result in <policy_evaluated> is assessed as follows:

  1. Is the result in <auth_results> pass?
  2. Is the domain in <auth_results> aligned? That is, is the domain in <auth_results> the same domain as in <policy_published>?

If the answers to 1 and 2 are Yes then the result is pass, otherwise it is fail.

In your case, for DKIM #1 is Yes, but #2 is No because the domain in <policy_published> is mydomain.io but the domain reported in the <auth_results> for DKIM is myotherdomain.net.

MSC
  • 125
  • 7
Edwin Jaime
  • 34
  • 3
  • myotherdomain.net is the receiving domain. – samh Aug 24 '16 at 11:44
  • According to DMARC Spec, the receiving domain is not reported in RUA reports. How did you set up DKIM for "mydomain.io" ? Are you using the same as the "myotherdomain.net"? – Edwin Jaime Aug 24 '16 at 14:32
  • Can you point me to specs on the RUA reports? – samh Aug 24 '16 at 14:41
  • myotherdomain.net is a Google Apps domain, so everything handled by Google. mydomain.io is my smtp server (Postfix/opendkim), although (1) DNS is handled in the same manager for both domains so it's possible I've screwed up something there and (2) the mydomain.io server *can* send mail from myotherdomain.net so… it sounds like outgoing mail is being signed with the wrong DKIM signature? – samh Aug 24 '16 at 14:46
  • The article on this [link](https://blog.returnpath.com/how-to-read-your-first-dmarc-reports-part-1/) is a brief introduction to the information in the RUA reports. Also, the section 7.2 of the DMARC Spec [link](https://tools.ietf.org/html/rfc7489#page-30) talks about the RUA reports. – Edwin Jaime Aug 24 '16 at 17:20
  • I agree. I think the DKIM signatures are being mixed and that is what is causing the failure. – Edwin Jaime Aug 24 '16 at 17:21
  • Found the typo buried in my SigningTable. Thanks for your help all around. – samh Aug 24 '16 at 18:25