I have a general problem with DMARC alignment. It’s easy enough to get SPF and DKIM to pass, and to create a DMARC record, but for DMARC to pass you also need aligned from and sender addresses which are not controlled from DNS. It’s not really about strict vs relaxed, though I think relaxed is plenty hard enough, it’s more about how to get the envelope sender address to match the from header. This means that as well as a
_dmarc record, you also need a CNAME to point a return-path hostname at. This is what services like postmark do, for example. Once you’ve done that, you then need to use a per-domain envelope sender - how do you do that in MiaB? Or is there some automatic mechanism to spot inbound CNAMEs and use different envelope senders automatically?
To be clear, say I have miab set up on example.com.
I can create SPF, DKIM, and DMARC records for example.com addresses, and everything will align, possibly including rDNS for bonus points. Outbound mail uses an example.com envelope sender.
Now I need to do the same for example.net
I create SPF, DKIM, and DMARC records the same way, but DMARC will fail because the example.net From address is not aligned with the example.com envelope sender. rDNS will also fail, because reverse lookups can only ever point to one place.
How should we resolve that?
The best way to resolve this is to post your actual domains. Note that your domains are already public information, so there isn’t some huge security risk in posting them.
Short of that, please post your actual DNS records as reported by some third-party reporting tool, such as https://dmarcian.com/dmarc-inspector/
Note that DMARC only informs other servers of your policies, and has nothing to do with the servers themselves (i.e., should they expect an SPF test or DKIM test to validate and what to do if they don’t).
OK, I was coming at this from a slightly unusual angle, where the return path is not the same as the from address - which is what miab does. This mainly happens in situations where you have things like centralised bounce handling for multiple domains (as that postmark example shows), or when you’re sending on behalf of domains from servers that are not MXs for the domain (e.g. as an external mailing list handler).
This isn’t something I have set up (yet) - it’s a generic problem that applies to all multi-domain setups. It’s nothing to do with the DMARC DNS records themselves (and because of that it won’t show up in tools like Dmarcian’s tester, though it would show in their reports DB) - your records can be entirely correct, but you can still get validation failures if your mail server is not configured to match. Its about how the mail server creates messages so that they agree with what is in DNS so that they align and can be handled correctly by receivers.
Say you have a DMARC record for example.net that says aspf=r, a CNAME set up at mail.example.net pointing at example.com, and you send a message via miab on example.com using an example.net from address; it will fail DMARC validation at the receiver because miab doesn’t know that it should use mail.example.net in the envelope sender of the outbound message.
=> DMARC pass
=> DMARC fail, not aligned
=> DMARC pass (in relaxed mode)
The question is how to get miab to do that? This may be a bit of an academic exercise after all…
Would it work to add
include:example.com to your example.net SPF record?
Or have a DMARC record that permits either SPF or DKIM to pass?
I’m not entirely sure what controls can be applied - the thing is that these kind of failures are not covered by either SPF (checks source IP addresses) or DKIM (ensures message integrity) - this alignment concern seems to be purely DMARC as neither of the others are concerned with hostname matching, though it can be affected by the aspf property, which doesn’t seem to have much to do with SPF!
It’s quite confusing, but a real issue - I have problems with exactly this alignment problem on a non-miab setup (which does use centralised bounce handling) - I get full DKIM and SPF passes but DMARC alignment failures. That said, I doubt it’s much of a miab problem really.
include:example.com mechanism means the SPF record for example.com will be included when evaluating the SPF record for example.net.
DMARC is only a tool to inform receiving servers of the domain owner’s policy on managing email with regards to SPF and DKIM, so I’m not really sure how something can be DMARC related without being related to SPF and DKIM.
The best way for me to evaluate this would be to see actual DMARC records. These discussions can go on for ages with no resolution otherwise.
It’s very simple:
Does SPF require that envelope sender and from address match? No, it only looks at IP addresses, so including SPF external records will only add more IPs, not domain names.
Does DKIM require it? No; a from address is usually included in the signature, but it is not affected by envelope sender.
Does DMARC require it? Yes.
So it’s possible for both SPF and DKIM to pass while DMARC fails.
@Synchro - You’re overthinking things a little. Normally any email client will use the email in the From: address to form the Envelope Sender: address when it sends it’s MAIL FROM: command.
MIAB is no exception to this - So When DMARC checks the Envelope Sender and From: address are aligned. (I have a multi domain setup)
Likewise When MIAB signs a mail with DKIM the d= section is again the domain used in the From: address
I understand what’s going on - it’s just that my other mail server has an HTTP API that allows me to control return path generation, so that I can do both centralised bounce handling and aliased return path domains allowing DMARC alignment when the server is not an MX (and from != envelope). At the beginning of this question I was wondering how I would do that on MIAB - the answer is that it’s not possible, but it doesn’t matter because MIAB is not intended for that scenario and works well enough as it is.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.