Solved

DMARC Fail when SPF & DKIM Pass

Posted on 2016-08-31
7
79 Views
Last Modified: 2016-09-06
We have recently switched our DMARC policy from "none" to "quarantine".  We utilize MailChimp and have followed their instructions to add their server information to our SPF and DKIM records.  When we send out our test campaign, both SPF and DKIM pass but DMARC is failing.  As I understand it, this is because SPF and DKIM are passing based on the "mandrillapp.com" domain, but this doesn't match the domain in the From field (ourdomain.com).  Redacted message header from a test mailer is at the bottom.

Firstly, am I understanding the issue correctly?  Secondly, does somebody have a recommendation on what adjustment I can make so that these messages are not flagged?

It appears from this article (http://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail) that I can take steps to obscure the from email address so that it is not suggesting that the message originates from myaddress@ourdomain.com.  Ideally, however we would prefer this to remain so that recipients can click reply directly.

Thanks in advance!

Header:
Received: from mail187-199.suw11.mandrillapp.com (mail187-199.suw11.mandrillapp.com [198.2.187.199])
	by dmarctest.org (8.14.9/8.14.9/dmarctest.org.mc-1.2) with ESMTP id u7VEDZkZ002452
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <autoreply@dmarctest.org>; Wed, 31 Aug 2016 07:13:38 -0700 (PDT)
	(envelope-from bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com)
DMARC-Filter: OpenDMARC Filter v1.3.0 dmarctest.org u7VEDZkZ002452
Authentication-Results: dmarctest.org/u7VEDZkZ002452; dmarc=fail header.from=ourdomain.com
Authentication-Results: dmarctest.org; spf=pass smtp.mailfrom=bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com
DKIM-Filter: OpenDKIM Filter v2.9.2 dmarctest.org u7VEDZkZ002452
Authentication-Results: dmarctest.org; dkim=pass reason="1024-bit key"
	header.d=mail187-199.suw11.mandrillapp.com header.i=myaddress@mail187-199.suw11.mandrillapp.com
	header.b=ZScFeS87; dkim-adsp=none; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail187-199.suw11.mandrillapp.com;
 h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type; i=myaddress@mail187-199.suw11.mandrillapp.com;
 bh=xxxxx=;
 b=xxxxx=
Received: from pmta01.mandrill.prod.suw01.rsglab.com (127.0.0.1) by mail187-199.suw11.mandrillapp.com id horj14174i4g for <autoreply@dmarctest.org>; Wed, 31 Aug 2016 14:13:34 +0000 (envelope-from <bounce-md_9656357.57c6e60d.v1-xxxxx@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com; 
 i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1472652813; h=From : 
 Sender : Subject : To : Message-Id : Date : MIME-Version : Content-Type 
 : From : Subject : Date : X-Mandrill-User : List-Unsubscribe; 
 bh=xxxxx=; 
 b=xxxxx=
From: <myaddress@ourdomain.com>
Sender: <myaddress@mail187-199.suw11.mandrillapp.com>
Subject: MailChimp Template Test - "Mailer Subject"
X-Accounttype: ff
X-Auto-Response-Suppress: OOF, AutoReply
Auto-Submitted: auto-generated
To: <autoreply@dmarctest.org>
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: http://mandrillapp.com/contact/abuse?id=9656357.xxxxx
X-Mandrill-User: md_9656357
Message-ID: <9656357.20160831141333.57c6e60de94781.11430196@mail187-199.suw11.mandrillapp.com>
Date: Wed, 31 Aug 2016 14:13:33 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-Ps-Vnv22FE1bQqTaBly1nw"

Open in new window

0
Comment
Question by:pcamis
  • 3
  • 3
7 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 41779246
You understood the issue correctly, see also MailChimp explanation
For example, let’s say you send a MailChimp campaign with a From email address like firstname.lastname@yahoo.com. The campaign appears to be sent from a yahoo.com domain, but it’s actually sent from MailChimp’s servers. Yahoo’s strict DMARC policy doesn’t like this. Their DMARC policy tells your subscribers’ receiving servers to automatically reject anything that looks like it comes from yahoo.com, but comes from somewhere else instead.  

To improve deliverability, we encourage you to use a From email address at a domain owned by you or your organization, like firstname.lastname@mycompany.com. Not only will this help avoid delivery issues, it can help your subscribers recognize your brand.
http://kb.mailchimp.com/accounts/email-authentication/about-dmarc

For your case, you likely need to add a Mandrill DKIM record for your domain. The SPF and DKIM pass, but it is based on messages being authenticated for mandrillapp.com, not your domain (most cases, the Return-Path domain is being used for message authentication though not seen in the log).

In order to authenticate as your domain, and in turn pass the DMARC alignment check, you need both SPF and DKIM for the "from" domain. Here's information about the DKIM record to add: http://help.mandrill.com/entries/22030056-How-do-I-add-DNS-records-for-my-sending-domains-

Once you do that, the Mandrill account owner (in your case MailChimps), will need/want to validate those records in Mandrill, so that Mandrill knows both are valid and can start signing messages for your domain (this can be done within the account or via the Mandrill API).
1
 
LVL 62

Expert Comment

by:btan
ID: 41779257
Otherwise if the Adding of your "from" as per last shared into the SPF and DKIM is not possible, you may have to consider those which can like Yahoo and AOL, though it is not representative to your original "From" domain
For best results, we recommend you switch to a domain you own. However, if you use Yahoo or AOL Mail and can’t register your own domain, we can help you avoid delivery problems. We’ll automatically add send.mailchimpapp.com or mail.mailchimpapp.com to your Yahoo or AOL address to help ensure delivery. This process is currently only available for Yahoo and AOL addresses.
0
 

Accepted Solution

by:
pcamis earned 0 total points
ID: 41779686
Thank you very much for the response, btan - I really appreciate the confirmation.  We have already gone through MailChimp's steps for authenticating our domain (adding their information to our SPF and DKIM DNS records) which is why I thought it so odd that DMARC was still failing.

With your confirmation that I was taking the right steps, I started thinking it through further and decided to send a full campaign to a few test email addresses (as opposed to sending a test email from the template designer).  Sure enough, when sending a campaign, MailChimp does indeed authenticate ourdomain.com for SPF and DKIM and therefore DMARC passes as well.

So in the end, the issue is only with sending test emails during the template design stage.  I may troubleshoot this in the future, but for now I'm more than content knowing that our actual campaigns will go out successfully.  Thanks again!
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 62

Expert Comment

by:btan
ID: 41779714
Great to hear that. Thanks for sharing.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 41784649
You still have to publish a DMARC policy for that domain, which you're not right now
https://dmarcian.com/dmarc-inspector/mandrillapp.com
-rich
0
 

Author Closing Comment

by:pcamis
ID: 41785800
Solved issue with further testing
0
 

Author Comment

by:pcamis
ID: 41786104
Sorry for any confusion, Rich - I was using ourdomain.com as a placeholder.  We do have a published DMARC policy for our actual domain.  Thanks for checking!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now