Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error
DMARC alignment errors - DMARC alignment errors
Options
Go to last post Go to first unread
Previous Topic Next Topic
p.schuur@groupeonepoint.com  
#1 Posted : Thursday, June 25, 2020 5:16:07 AM(UTC)
p.schuur@groupeonepoint.com

Rank: Newbie

Groups: Registered
Joined: 6/25/2020(UTC)
Posts: 3
Netherlands

Thanks: 1 times
Hello,

We're evaluating your product prior to purchasing a license. For inbound checks, I see the following issue; the message was sent with different


13:02:29.271 parse email content with 28052 bytes
13:02:29.271 lookup DKIM-Signature header
13:02:29.271 check dkim header
13:02:29.271 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net;
h=subject:from:mime-version:to:content-type:content-transfer-encoding;
s=smtpapi; bh=OP1O3/Zj/wASuvMkjSjlrLKLbrkMP5kJ+kKbipGUTy4=;
b=fqk8Eb2iI3hMXidhyda6AFTm+CUUdVkBn2O5ybOsagqMWx7XHTZsFIJZRcV4PPLwqznU
FXkWtQ9q0OE1qWak85VJc/yfrIc+j82xtK33dJM9BfIwYB3fGoVDJdEEKLDgvmK7CWYl/z
HnWYyVDVmvZXeexMDtYiqTyi+dyzuYk94=
13:02:29.271 check signer
13:02:29.271 check signer d=sendgrid.net; i=
13:02:29.271 sender or from domain is reply.fundrbird.com
13:02:29.271 warnning: sender domain is not equal to signed domain, it will be failed with dmarc validation!


And further:

13:02:29.286 evaluate alignment by v=DMARC1; p=none; pct=100; rua=mailto:re+vmgkputfgtv@dmarc.postmarkapp.com; sp=none; aspf=r;
13:02:29.286 SPF Alignment Result: fail
13:02:29.286 DKIM Alignment Result: fail
13:02:29.286 DMARC Result: fail

All failures and as a result, the message was rejected. But when I lookup the sender's DMARC policy:
$ host -t txt _dmarc.fundrbird.com
_dmarc.fundrbird.com descriptive text "v=DMARC1; p=none; pct=100; rua=mailto:re+vmgkputfgtv@dmarc.postmarkapp.com; sp=none; aspf=r;"

The policy is none, the DMARC should not be enforced. The other mentioned domain:

$ host -t txt _dmarc.sendgrid.net
_dmarc.sendgrid.net descriptive text "v=DMARC1; p=reject; sp=none; rua=mailto:dmarc_agg@dmarc.250ok.net; ruf=mailto:dmarc_fr@dmarc.250ok.net; fo=1; pct=100; rf=afrf"

That policy is to reject.

Question: is this behaviour correct, or is the check too strong? What would you suggest the way solve this issue? I already asked the original sender to analyse their alignment because my first conclusion is that the signature is incorrect, but the message "warnning: sender domain is not equal to signed domain, it will be failed with dmarc validation!" makes me rethink the situation.

Thanks alot for you help!

Please find original headers here: https://mxtoolbox.com/Pu...d-4813-a54d-002455921150
Back to top

Wanna join the discussion?! Login to your EmailArchitect Support forum accountor Register a new forum account.
Back to top  
ivan  
#2 Posted : Thursday, June 25, 2020 4:19:01 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
Your DKIM signature is ok.

let me explain what is alignment policy in DMARC.

Quote:

3.1.1. DKIM-Authenticated Identifiers

DMARC permits Identifier Alignment, based on the result of a DKIM
authentication, to be strict or relaxed. (Note that these are not
related to DKIM's "simple" and "relaxed" canonicalization modes.)


In relaxed mode, the Organizational Domains of both the [DKIM]-
authenticated signing domain (taken from the value of the "d=" tag in
the signature) and that of the RFC5322.From domain must be equal if
the identifiers are to be considered aligned. In strict mode, only
an exact match between both of the Fully Qualified Domain Names
(FQDNs) is considered to produce Identifier Alignment.

To illustrate, in relaxed mode, if a validated DKIM signature
successfully verifies with a "d=" domain of "example.com", and the
RFC5322.From address is "alerts@news.example.com", the DKIM "d="
domain and the RFC5322.From domain are considered to be "in
alignment". In strict mode, this test would fail, since the "d="
domain does not exactly match the FQDN of the address.

However, a DKIM signature bearing a value of "d=com" would never
allow an "in alignment" result, as "com" should appear on all public
suffix lists (see Appendix A.6.1) and therefore cannot be an
Organizational Domain.

Identifier Alignment is required because a message can bear a valid
signature from any domain, including domains used by a mailing list
or even a bad actor. Therefore, merely bearing a valid signature is
not enough to infer authenticity of the Author Domain.


If you want to pass the alignment check, you should sign the email with reply.fundrbird.com instead of sendgrid.net

in DKIM inbound dmarc rejection policy.
Code:

<add key="fail" value="550 5.7.1 your message from [%header_from%] is against our DMARC policy (fail)" />
      <add key="failAndPolicyIsReject" value="550 5.7.1 your message from [%header_from%] is against your DMARC policy (fail and p=reject)" />
      <add key="failAndPolicyIsQuarantine" value="550 5.7.1 your message from [%header_from%] is against your DMARC policy (fail and p=quarantine)" />
<add key="none" value="550 5.7.1 your message from [%header_from%] is against our DMARC policy (none)" />
      <add key="temperror" value="451 4.4.3 your message from [%header_from%] encountered a temporal error with DMARC verification (temperror)" />
      <add key="permerror" value="550 5.7.1 your message from [%header_from%] encountered a permanent error with DMARC verification (permerror)" />


If you enable "fail" option, if the email dmarc cannot pass the DMARC check, the email will be rejected regardless of policy set in DMARC record.

If you enable "failAndPolicyIsReject":

dmarc is fail, and policy is p=reject in DMARC record

then the email is rejected.

If you enable "failAndPolicyIsQuarantine":

dmarc is fail, and policy is p=quarantine in DMARC record

then the email is rejected.
Back to top
thanks 1 user thanked ivan for this useful post.
p.schuur@groupeonepoint.com on 6/26/2020(UTC)
p.schuur@groupeonepoint.com  
#3 Posted : Friday, June 26, 2020 1:11:30 AM(UTC)
p.schuur@groupeonepoint.com

Rank: Newbie

Groups: Registered
Joined: 6/25/2020(UTC)
Posts: 3
Netherlands

Thanks: 1 times
Hi Ivan,

Thanks for your quick response, it really helps.

Question: will this also solve the issue regarding this message?

warnning: sender domain is not equal to signed domain, it will be failed with dmarc validation!

(please note the typo in the first word)
Back to top
ivan  
#4 Posted : Friday, June 26, 2020 5:08:01 PM(UTC)
ivan

Rank: Administration

Groups: Administrators
Joined: 11/11/2010(UTC)
Posts: 1,153

Thanks: 9 times
Was thanked: 55 time(s) in 55 post(s)
Yes.
Back to top
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Powered by YAF.NET | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.116 seconds.

EXPLORE TUTORIALS

Send Email

Read and Parse Email

DKIM Solution

© All Rights Reserved, AIFEI Software Limited & AdminSystem Software Limited.