1

Here's a key segment of the DMARC report from Yahoo, who rejects SOME of our messages [replaced some identifying info with text in brackets]:

<feedback>
<report_metadata>
  <org_name>Yahoo! Inc.</org_name>
  <email>postmaster@dmarc.yahoo.com</email>
  <report_id>1586827611.704931</report_id>
  <date_range>
    <begin>1586736000</begin>
    <end>1586822399</end>
  </date_range>
</report_metadata>
<policy_published>
  <domain>[our_domain.com]</domain>
  <adkim>r</adkim>
  <aspf>r</aspf>
  <p>none</p>
  <pct>100</pct>
</policy_published>
<record>
  <row>
    <source_ip>54.240.8.126</source_ip>
    <count>2</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>[our_domain.com]</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>amazonses.com</domain>
      <result>pass</result>
    </dkim>
    <spf>
      <domain>amazonses.com</domain>
      <result>pass</result>
    </spf>
  </auth_results>
</record>

<record>
  <row>
    <source_ip>54.240.8.200</source_ip>
    <count>2</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>[our_domain.com]</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>amazonses.com</domain>
      <result>pass</result>
    </dkim>
    <spf>
      <domain>amazonses.com</domain>
      <result>pass</result>
    </spf>
  </auth_results>
</record>

Note how both of those example records show SPF fail in the Policy Evaluated block, but shows it as passing under Auth Results. I don't really have anything else to go on from Yahoo at this time, so I assume that SPF fail is the reason for the rejection. There are many more equivalent blocks that follow the same pattern.

The IP number is a valid Amazon SES IP #. DMARC and DKIM both appear to work from various online tests. None of these are bulk messages. These are individual response to users, like account validation or acknowledgement emails from specific individual user activities on our site.

Here's our SPF, with IP numbers masked: "v=spf1 mx a ip4:64.xx.xx.xx/29 ip4:70.xx.xx.xx ip4:71.xx.xx.xx ip4:71.xx.xx.xx include:amazonses.com -all"

Why are we getting the SPF Fail? How can we fix this so our messages aren't rejected by Yahoo?

Thanks.

Edit: Here are the full headers of one such rejected message (with actual email and our domain names redacted):

X-Atlas-Received: from 10.224.12.175 by atlas111.aol.mail.gq1.yahoo.com with http; Thu, 23 Apr 2020 16:14:40 +0000
X-Apparently-To: <actual_address_removed>@aol.com; Thu, 23 Apr 2020 16:14:40 +0000
Return-Path: <01000171a7d1cd9d-a4da0317-f2e3-43a7-b5bc-94eff7eaf009-000000@amazonses.com>
Authentication-Results: mta4117.aol.mail.gq1.yahoo.com; 
 dkim=pass (ok) header.i=@<our_company_name>.com header.s=giaoxm2ym4vikpjehhjenjnl6444uis2;
 dkim=pass (ok) header.i=@amazonses.com header.s=224i4yxa5dv7c2xz3womw6peuasteono;
 spf=pass smtp.mailfrom=@amazonses.com;
 dmarc=pass(p=none sp=NULL dis=none) header.from=<our_company_name>.com;
Received-SPF: pass (domain of amazonses.com designates 54.240.8.53 as permitted sender)
X-YMailISG: CcEFtBoWLDvi4CGis8y3PqwppIYY9ZCAvHAOhn_bv8vPs0AV
 rn0oMrrapzG0pn4qONWnjax1._lnXoOF68git1olkJyls_JSxFbzj82K5ZS_
 S0rU87wPbSHakQJe.tQzvCSyixnd_KIMHz0y9QbgTDqXKM2JSoPG2fRxqpXK
 HTlokY6wBJlzljm0ZngmTp1NQjpKmVr7RENfAI.EfwuwhMVwYftkHbtj5zSQ
 nh04Z0qZHoTWMWPLehmzOHg_uiizixeP9JUR4O_Bp0hXDAU_BVSVeyzGDs68
 hlBJ8u1JwJRI4DHJJvNh8edIIt.kDUI3Qpu6G7z_Nr4hUSFZYEzD7AsKrwuR
 MEmZCSdV8Qo9jWhiUv7Zr12CZUP98wPPrdWrSgGmvC2rofbA_W5zZpbB49yk
 1b0k7H8Gelt3wgN91gNEE6g6xECo1jer5pyhXTcMwi3AyRjaZ88lNO50TIRj
 vfjru.DkH7LZU460ZzeqXjcnblyoortEqkgh4xiaXEQQ6i_kv6Gt3._AJV56
 .oCOCSzsdBWIGBlPjb4LyfMQ8YCTQ4nzr5iJiVobpRLhOhV6EZObuetTj6M2
 66mXq.8kmJv5kOIUV1fizGqNKQutLJqBRWFpB39PPeqrWkpirHYtX3apglwx
 lsGMil9PCU3HI5zgFYu4Lku2XtN05Z2xoRIRU8v7wV7yZp31H8IsrLUOF2tF
 MK.Bwc3.Uat81mb5xV8qFvDCWqyAXTX3y_u3_DrPv3DqwqC1kHB6ZjeBHe.j
 2ot0Ea212Ut3xSpndy3hjNGGcr5fkFqhpkAaSNMTttIhMel5fNuGwYKGtEYR
 XrIGb7U8O5oTmAlbframOIS6jL6oskL_d_.v37uhMd_VLufAtGmX6zsC2P71
 4ZmTzEmwxjwJgkB4MTGGgZHFLLJs1rZRxXXCC1xLcPFCPtDeyUFEV6EuxUe3
 EQ9ruEQWYkeslhUMTehj4sDpWbVYHae8Pchn0qe3sCWk7rmuzwrEN3WxsNXU
 vNUx68D0D5icPUSYPj7ILoEmu87Z1Ej9IrGI809s6uoUfRqaPp6AT3xxY342
 bR7EgBaQ_9jORY3dliPQUMdRcqs.Ru0Sda1dNIYsoOrlzgtSNeGyZvCjXWWN
 mS60EjPI.7llVBg6fP3DIRkMsTk24qYC1pxabaeSQx5H0KggIKnX9FtkqT4J
 GdckRkwYZjNXQvZ6XaQrx.o6rRvwTXXVUFj2SpnbJH.BnG2eaBdm8obU7X4x
 UoN1Xp.0VmNzM5I00OZsF9mkVAIcCQT9598RzGhwqSyvDoEcEDgYDfoRC2A-
X-Originating-IP: [54.240.8.53]
Received: from 10.214.167.54  (EHLO a8-53.smtp-out.amazonses.com) (54.240.8.53)
  by mta4117.aol.mail.gq1.yahoo.com with SMTPS; Thu, 23 Apr 2020 16:14:38 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=giaoxm2ym4vikpjehhjenjnl6444uis2; d=<our_company_name>.com; t=1587658477;
    h=Date:From:To:Message-ID:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding;
    bh=G4gMaJmVInxsQu2V0h67izukeixOJ+yCOG+lPDbSqVA=;
    b=As+UqkIhe1ukxkMdJAOHMz5d8kNTgPQhopyM/xSrzWKAQxUI7R77wqwNTypbwv3L
    A3X5Ge6enmszGh4+Yk095QKEKmNEvxZTlMaauIGWiZ7b5CdDXKcXXNlZWwIoj41wE5g
    q/l2KXWLr9M50g52OsfUVE2Wk5uIg6V9BynW4wPc=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1587658477;
    h=Date:From:To:Message-ID:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID;
    bh=G4gMaJmVInxsQu2V0h67izukeixOJ+yCOG+lPDbSqVA=;
    b=AQOCZPO5Ss5EuE2RYxPgXAlhwSmRu3sT6DJMKFKZhsk6MqsFaw2sGcyO8tmNA8hH
    RNUJxMn+6djrbeEeadWyRdcrtRRjv1qvzE4OWi/kUi6cizPDFuUbFogyneLcrXwR+ea
    q0YOohJ5lLsXq0UAL063QYvQUozAQoGpjZLOcZBY=
Date: Thu, 23 Apr 2020 16:14:37 +0000
From: <our_company_name> <support@<our_company_name>.com>
To: <actual_address_removed>@aol.com
Message-ID: <01000171a7d1cd9d-a4da0317-f2e3-43a7-b5bc-94eff7eaf009-000000@email.amazonses.com>
Subject: Welcome to <our_company_name>!
Mime-Version: 1.0
Content-Type: multipart/mixed;
 boundary="--==_mimepart_5ea1beece1a63_d2b147c2f30a844718b";
 charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SES-Outgoing: 2020.04.23-54.240.8.53
Feedback-ID: 1.us-east-1.gvVSwkDXSEQOQySqTyuHX/jqlYce4T0W3U/naBBJjHU=:AmazonSES
Content-Length: 4609
GraniteStateColin
  • 25
  • 6
  • There is not enough info in aggregate reports to diagnose this - You need to look at the headers of the individual received messages to see why a specific message has failed, or enable forensic reporting in your DMARC config. – Synchro Apr 15 '20 at 09:01
  • @Synchro, added header as requested. – GraniteStateColin Apr 23 '20 at 21:25
  • You have an alignment issue. The return-path domain and from address use different domains, so you can get a DMARC fail even when SPF and DKIM pass. It is apparently possible to change the envelope sender on AWS. I think you’ll find this question useful: https://superuser.com/questions/715926/dmarc-email-spf-policy-evaluated-auth-result-have-inconsistent-status – Synchro Apr 23 '20 at 21:43
  • @Synchro, that does look like a related issue, but there was no solution offered. That fits with the problem I described where this might be fixed by setting the From value in SES, but as far as I can tell, that's not possible where we're also using the same domain for our regular mail through an Exchange server, and a subdomain doesn't appear to be an option to address this. That seems a common scenario -- anyone with the same web and email domain using SES should experience this. Any ideas how to fix it? – GraniteStateColin Apr 24 '20 at 10:58
  • You should be able to set up a cname record pointing at AWS, use that as your envelope sender, and then you will have relaxed alignment. I think there’s a link in that answer for how to do that. – Synchro Apr 24 '20 at 16:03
  • @Synchro, I don't understand that and don't see any coverage on this in those links. I thought Amazon SES requires there only be a single MX record. How does a subdomain get around that? Also, I thought only A records can go in an MX record, not a CNAME. Lastly, by "use that as your envelope sender," do you mean set the Mail From value to be the CNAM field set above? If you could detail this in a full answer for all of us on SES With a similar problem, I think this could be helpful to many people -- anyone with a domain both for SES sending and regular email. I'll gladly mark it as the answer. – GraniteStateColin Apr 26 '20 at 02:13

0 Answers0