0

My domain( e.g. xyz.com) email is hosted on Gsuite. I am trying to set up DMARC for my domain. On the first day, I have received aggregate reports from multiple mail servers. in these reports, I found my domain using some other service(subscription, product rating).

These services sending mail to the customers with mail from my domain header with services domain(e.g. mail.service.com). so I have set up the dedicated domain for these services using SendGrid(CNAME). Also, I have created DKIM for my Gsuite domain and created the record in the domain panel.

Now is everything perfect but in the aggregate reports some records are failed to pass SPF validation but DKIM pass. Why DKIM passed or SPF failed?

Here are sample records

v=spf1 include:_spf.google.com ~all (main domain)
v=spf1 include:sendgrid.net ~all (email.xyz.com sendgrid)
v=spf1 ip4:149.72.201.23 ip4:149.72.27.244 *(multipal ip4 records)* -all (em1234.xyz.com sendgrid)

Below are the aggregate report's two records:

<record>
    <row>
      <source_ip>104.47.56.175</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>xyz.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>xyz.com</domain>
        <result>pass</result>
        <selector>kl</selector>
      </dkim>
      <spf>
        <domain>xyz.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
<record>
<row>
  <source_ip>209.85.220.41</source_ip>
  <count>1</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
  </policy_evaluated>
</row>
<identifiers>
  <header_from>xyz.com</header_from>
</identifiers>
<auth_results>
  <dkim>
    <domain>xyz.com</domain>
    <result>pass</result>
    <selector>kl</selector>
  </dkim>
  <dkim>
    <domain>sendgrid.info</domain>
    <result>pass</result>
    <selector>smtpapi</selector>
  </dkim>
  <spf>
    <domain>gmail.com</domain>
    <result>pass</result>
  </spf>
</auth_results>
</record>
Laxman Singh Rajpurohit
  • 1
  • 2

2 Answers2

2

You can't have more than one SPF record for a domain; you need to combine them into a single record, which from what you have provided should be:

v=spf1 ip4:149.72.201.23 ip4:149.72.27.244 include:_spf.google.com include:sendgrid.net ~all

Generally you should not use -all if you're using DMARC; it is (or at least was) common for that to short-circuit DMARC processing. You're better off using ~all and then telling DMARC to reject based on that.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • Due to a medical emergency, I did not reply @Synchro I am using the subdomains for sending mail from SendGrid. that why is am using three different SPF records. I don't have subdomains mails records access because they are handled by another service provider like subscription, product review services. And these providers using SendGrid as the sender mail server. – Laxman Singh Rajpurohit Jan 11 '21 at 12:57
  • I am thinking if both SPF and DKIM fail then DKIM policy should "reject" mail. is this a good idea or not? Please Suggest. – Laxman Singh Rajpurohit Jan 11 '21 at 13:01
  • Yes, and that's what you set in DMARC with `p=reject`. Be prepared to deal with some fallout though – not all mail server are DMARC friendly. – Synchro Jan 11 '21 at 14:13
  • 1
    It’s the dmarc record that sets policy. Always at least start with reporting only, p=none, at least until you’re sure all your mail stream are passing either SPF or DKIM and there’s domain alignment. Ideally both spf and DKIM should pass as it’s a bit brittle to have reject set with only DKIM or spf passing. Some things break one or the other so it’s nice to have both. The OR logic enables you to set it up such that failing both spf and DKIM are very unlikely.. – Neil Anuskiewicz Feb 02 '21 at 03:27
0

The OP specified that one of those spf records was for the org domain and one for the subdomain, so it does not violate any spf validity rules. Someone above mistook this for two spf records in the same domain.

No enforcement should be done with spf and dkim at all. As the policy layer, DMARC’s job is policy. These days, spf and dkim do not typically play a policy role. Leave that to DMARC.

The xml above looks like classic forwarding where the SPF domain went out of alignment but dkim survived the forward which is common.

Neil Anuskiewicz
  • 478
  • 2
  • 12