1

I'm confused by a DMARC aggregate report I received recently and I couldn't find anything similar online.

The report says DKIM, SPF passed and they're aligned with the domain in the From: header. But that's not what I see in the report. Specifically, for DKIM:

record.row.identifiers.header_from=mydomain.com

record.row.auth_results.dkim.domain=sendgrid.info

Expected: record.row.policy_evaluated.dkim=fail, because sendgrid.info is neither an exact match nor a subdomain of mydomain.com.

Actual: record.row.policy_evaluated.dkim=pass

Full report for reference (sending domain replaced with mydomain.com for privacy).

<?xml version="1.0"?>   
<feedback>  
  <report_metadata> 
    <org_name>Yahoo! Inc.</org_name>    
    <email>postmaster@dmarc.yahoo.com</email>   
    <report_id>[redacted]</report_id>   
    <date_range>    
      <begin>1616112000</begin> 
      <end>1616198399</end> 
    </date_range>   
  </report_metadata>    
  <policy_published>    
    <domain>mydomain.com</domain>   
    <adkim>r</adkim>    
    <aspf>r</aspf>  
    <p>none</p> 
    <pct>100</pct>  
  </policy_published>   
  <record>  
    <row>   
      <source_ip>149.72.167.211</source_ip> 
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>pass</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>mydomain.com</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>sendgrid.info</domain>  
        <result>pass</result>   
      </dkim>   
      <spf> 
        <domain>em[redacted].mydomain.com</domain>  
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 
</feedback>
Max Ivanov
  • 5,695
  • 38
  • 52
  • 1
    I agree that this report looks weird. Assuming that you triggered the email sent by `sendgrid.info`, do other email service providers report `fail`? As far as I know, policy overrides such as `trusted_forwarder` shouldn't affect this element and should be indicated as such. – Kaspar Etter Mar 22 '21 at 10:13
  • @KasparEtter Honestly I'm not sure where `sendgrid.info` comes from. We do use Sendgrid to send transactional emails, but the provider is properly configured/authorized and from what I've seen previously DKIM for Sendgrid emails is signed with `mydomain.com` (as expected). – Max Ivanov Mar 22 '21 at 10:24
  • 1
    If you really want to find out what's happening, it would be great if you could get access to the delivered message (by creating an email account at Yahoo Mail and trigger another message to this account). It's not uncommon to have DKIM signatures from several domains. Maybe Yahoo incorrectly includes only one of them in the `auth_results`? Maybe [Authenticated Received Chain (ARC)](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) interferes as well? You could also try your luck and contact `postmaster@dmarc.yahoo.com`. ‍♂️ – Kaspar Etter Mar 22 '21 at 10:44
  • @KasparEtter your guess was right! There are 2 DKIM signatures and Yahoo includes only one of them. I've shared the details in the answer. Thanks! – Max Ivanov Mar 23 '21 at 18:49

1 Answers1

1

Thanks to @KasparEtter from comments for pointing in the right direction. Indeed, there are 2 DKIM signatures in the outgoing email and Yahoo includes the mismatched one in the DMARC report.

In case anyone (myself maybe? ) finds this in the future, here's the relevant debugging information:

Email headers:

Authentication-Results: mx.google.com;
       dkim=pass header.i=@mydomain.com header.s=s1 header.b=WkAd29;
       dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=f+gPbe;
       spf=pass (google.com: domain of bounces+...@em0000.mydomain.com designates 50.31.63.175 as permitted sender) smtp.mailfrom="bounces+...@em0000.mydomain.com";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mydomain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mydomain.com; h=content-type:from:mime-version:reply-to:to:subject; s=s1; bh=NDk3...; b=...
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.info; h=content-type:from:mime-version:reply-to:to:subject:x-feedback-id; s=smtpapi; bh=NDk3...; b=f+ gPbe...

I've sent myself emails to @gmail.com and @yahoo.com mailboxes.

DMARC report from Google:

  <record>
    <row>
      <source_ip>50.31.63.175</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>s1</selector>
      </dkim>
      <dkim>
        <domain>sendgrid.info</domain>
        <result>pass</result>
        <selector>smtpapi</selector>
      </dkim>
      <spf>
        <domain>em0000.mydomain.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

DMARC report from Yahoo:

<record>    
    <row>   
      <source_ip>149.72.167.211</source_ip> 
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>pass</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>mydomain.com</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>sendgrid.info</domain>  
        <result>pass</result>   
      </dkim>   
      <spf> 
        <domain>em0000.mydomain.com</domain>    
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record>

As you can see the report from Google references both DKIM records correctly. Report from Yahoo includes only (the wrong) one.

I've tried contacting Yahoo by postmaster@dmarc.yahoo.com (the address they put in the DMARC reports they send out):

Address not found

Your message wasn't delivered to postmaster@dmarc.yahoo.com 
because the address couldn't be found, or is unable to receive mail.

Yahoo

Update Apr 27 2021

I've reached out to Yahoo to report about the problem and today I've got an update that it was fixed on their side. Indeed now the DMARC report lists all DKIM records correctly.

Max Ivanov
  • 5,695
  • 38
  • 52