1

I've implemented a DMARC policy on a few domains and am closely monitoring the reports I'm receiving from Google, Yahoo, Hotmail etc etc, looking forward to being able to switch from p=none to p=reject.

99% of all emails from the appropriate IPs are now passing both DKIM and SPF checks and 99% of all failures are from IP addresses I don't recognise.

Nearly perfect!

1% however are emails from the correct IP, failing DKIM.

The DMARC reports provide no way I can see to assist in determining anything about the emails which are failing. If I could just know the subject, the message ID - something, I'd be able to fix it.

Is there absolutely no way to do this?

TY

Claud
  • 937
  • 1
  • 12
  • 27

3 Answers3

2

The Failure Reports (ruf=) option should be that you are looking for. More at https://dmarc.org/wiki/FAQ#Do_I_want_to_receive_Failure_Reports_.28ruf.3D.29.3F and https://www.rfc-editor.org/rfc/rfc7489#section-7.3.

Community
  • 1
  • 1
user228011
  • 541
  • 3
  • 6
0

Some ESP (Email Service Providers) use their own DKIM Validators and they have bugs in them. So your DKIM will pass at 95% of the ESP and lets say the remaining 5% has a bug in it, failing your DKIM for whatever reason. I seen this time and time again and it's not your fault, just the fault of a bad component at that ESP.

Testers like MailTest check your DKIM with 4 different providers and even they say in their knowledge base that discrepancies can occur because of bugs in the individual validator in question. It's not going to be a 100% perfect, but if you keep your DKIM Signature simple (used Relax Canoncalization, instead of Simple), don't sign repeating fields, don't sign the same field twice, etc. Anything that will confuse a validator, try to avoid.

Henry
  • 2,953
  • 2
  • 21
  • 34
0

I suggest you the following:

  1. Check the MTAs reporting that your IP is failing: To do this look in the RUA reports or the RUF reports in which your IP is failing and identify the reporter.

Might be a problem with a single reporter

  1. Check if the failure is happening at the moment of verifying SPF/DKIM or at the moment of the alignment evaluation.

Get a RUA report where the IP fails. Then, go to the specific record. Check the tag <result>. ¿Is it marked as PASS?

If it is marked as PASS then the IP failed at the moment of alignment verification. To confirm it, check what domain was verified in SPF/DKIM.

I hope I was clear enough. If not please let me know how so that I can edit my answer better.

Mr Lister
  • 45,515
  • 15
  • 108
  • 150
Edwin Jaime
  • 31
  • 3
  • Thanks for the suggestions. I can see what reporter it is. I can see why it's failing. It's emails emanating from my server (which sends 1000s, from multiple accounts) - the IP is passing tests in these emails. But not DKIM. I suspect they're coming from some old software somewhere on my server. But I can't find where. If the DMARC reports gave me just a bit more specific information about the emails which are failing, I'd be able to find the source and fix it. Not possible I don't believe. – Claud Jul 11 '16 at 09:18
  • Do you have the RUF reports? There are some tags called "authorisation results" or something like that which gives a brief explanation about the failure cause – Edwin Jaime Jul 13 '16 at 01:13
  • Thanks. But I know how the emails in question are failing. I just can't identify which emails it is. Where that email is coming from (it's coming from my server). – Claud Jul 14 '16 at 09:27