Tuesday, September 29, 2015

email server - DMARC report: SPF fails with mx-domain as spf-domain in auth_result



I have setup a mail server with several postoffices/domains. DKIM, SPF and DMARC are setup for every domain. For the mailserver domain, which is a postoffice as well, I get weird DMARC reports, where the spf auth result lists the mx domain and the result is none. All other domains pass DKIM and SPF with the same DNS Records.




DNS-Records for all domains are setup as follows:




  • @ 10800 IN MX 10 mail.msdomain.net.

  • @ 3600 IN TXT "v=spf1 mx -all"

  • domain/msdomain._domainkey 3600 IN TXT "v=DKIM1; p=***; v=DMARC1; p=none; rua=mailto:abuse@domain.net; ruf=mailto:abuse@domain.net"



And here's the weird DMARC report:






my.dedicated.ms.ip
2

none
pass
fail




msdomain.net



msdomain.net
pass
msdomain



mail.msdomain.net
none





I just don't get it. Why is DMARC evaluating my mx domain for SPF. Mails are coming from info@msdomain.net and not from info@mail.msdomain.net.



Can someone help?



Answer



Adding the "a"-mechanism to the SPF record seems to have resolved the issue for e-mail addresses with the same domain as the mail server.



The new SPF record looks like this now:




  • @ 3600 IN TXT "v=spf1 a mx -all"



The domain is now listed properly in DMARCs auth_results:






msdomain.net
pass
msdomain


msdomain.net
pass





However for all other domains on the same mail server I left the SPF record the way it was since SPF always passed in DMARC reports for those domains.




  • @ 3600 IN TXT "v=spf1 mx -all"




I'm not really able to provide a conclusive explanation for this. Maybe someone else can clear things up.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...