0

We're sending emails. We're sending thousands of emails per day because we have our customers who'd like to be informed by us (and we do have their consents ;) ).

And we've just enabled DMARC with p=none to see what will happen. And here it comes:

<?xml version="1.0"?>   
<feedback>  
  <report_metadata> 
    <org_name>Yahoo! Inc.</org_name>    
    <email>postmaster@dmarc.yahoo.com</email>   
    <report_id>report.id.here</report_id>   
    <date_range>    
      <begin>1545350400</begin> 
      <end>1545436799</end> 
    </date_range>   
  </report_metadata>    
  <policy_published>    
    <domain>our-email-domain.tld</domain>   
    <adkim>r</adkim>    
    <aspf>r</aspf>  
    <p>none</p> 
    <pct>100</pct>  
  </policy_published>   
  <record>  
    <row>   
      <source_ip>209.85.221.48</source_ip>  
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>our-email-domain.tld</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>gmail.com</domain>  
        <result>neutral</result>    
      </dkim>   
      <spf> 
        <domain>gmail.com</domain>  
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 
  <record>  
    <row>   
      <source_ip>212.227.15.3</source_ip>   
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>our-email-domain.tld</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>srs.web.de</domain> 
        <result>neutral</result>    
      </dkim>   
      <spf> 
        <domain>srs.web.de</domain> 
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 
  <record>  
    <row>   
      <source_ip>212.227.15.3</source_ip>   
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>our-email-domain.tld</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>web.de</domain> 
        <result>neutral</result>    
      </dkim>   
      <spf> 
        <domain>web.de</domain> 
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 
  <record>  
    <row>   
      <source_ip>OUR.MX.IP</source_ip>  
      <count>175</count>    
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>pass</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>our-email-domain.tld</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>our-email-domain.tld</domain>   
        <result>neutral</result>    
      </dkim>   
      <spf> 
        <domain>our-email-domain.tld</domain>   
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 
  <record>  
    <row>   
      <source_ip>77.238.176.162</source_ip> 
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>our-email-domain.tld</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>our-email-domain.tld</domain>   
        <result>neutral</result>    
      </dkim>   
      <spf> 
        <domain>our-email-domain.tld</domain>   
        <result>softfail</result>   
      </spf>    
    </auth_results> 
  </record> 
</feedback>

This is a report from Yahoo, and I see pretty similar reports from Google and many other ESPs.

  1. 209.85.221.48 - Google forwarding email to Yahoo ?
  2. 212.227.15.3 - web.de forwarded to Yahoo twice from different hosts ??
  3. 77.238.176.162 - Yahoo host forwarded to another Yahoo host ???

What will happen to all of these emails when I turn p=quarantine? I can understand if one wants to receive emails from all his maiboxes in one. What I can't understand - why ESPs analyze DKIM/SPF when transferring messages between their own hosts? Policies supposed to fail in this case and recipient will receive it in Spam in case of p=quarantine, no?

insane
  • 45
  • 2
  • 8

1 Answers1

1

To answer your specific questions:

  1. Yes, that seems right.
  2. Yes, that seems right.
  3. Yes, that seems right.

There are many examples of when these situations occur. Simple forwarding rules to receive your work email in your personal email box is one. Another one is when your company (as the recipient) uses GSuite and uses Groups (distribution lists) to forward emails to their final destination, the users. Google will report on this in DMARC as well.

Another common case is when external email security filters forward inbound emails to an email server that checks for DMARC compliance and sends reports.

What will happen to all of these emails when I turn p=quarantine?

Generally, DMARC will pass when either SPF or DKIM generate a pass result in alignment with the Header.From domain, found in the <identifiers> node in the XML report. Those results are listed in the <policy_evaluated> node.

In all of your examples, the <policy_evaluated> results show a DKIM Pass result, so it should pass DMARC. However, in your examples all of the DKIM evaluations in the <auth_results> node show a neutral result for DKIM, including the one sent from your MX record IP address.

RFC 7601 states the following on a neutral result for DKIM:

neutral: The message was signed, but the signature or signatures contained syntax errors or were not otherwise able to be processed. This result is also used for other failures not covered elsewhere in this list.

This could be a specific issue with Yahoo's DKIM checker, but best to check the DKIM status in Google's (and others) DMARC reports as well.

Final advice: Go check the DKIM results in other DMARC reports before moving to p=quarantine.

Community
  • 1
  • 1
Reinto
  • 885
  • 6
  • 9
  • Seems like Yahoo does some weird things. Usually, reports from all Yahoo's submitters have both DKIM and SPF passed in both policy_evaluated and auth_results. But from time to time with pass in policy_evaluated Yahoo reports neutral or even softfail for auth_results. I have no idea how to interpret this. Another thing I'm thinking about is enabling RUF collection for domains: for ~million of emails with 'pass' I see ~5k failed in any way. Might RUF help clarify anything here or I will die under huge amount of reports? ;) – insane Jan 17 '19 at 14:45
  • You could try, but I have yet to find a reporting organization that still sends forensic reports. Keep in mind, those forensic reports can contain sensitive information or PII data. You need to treat that accordingly. Also, you'll receive (in theory) one forensics report per failed email. Do you want to receive 5k failure reports? So: It might clarify a bit and you probably won't die, because nobody ever sends those reports anyway ;) – Reinto Jan 18 '19 at 10:02