emailspfdkimmail-senderdmarc

SPF + DKIM pass and DMARC fails


The domain s****g.nl has the following DMARC record:

"v=DMARC1; p=reject; rua=mailto:postmaster@s****g.nl, mailto:dmarc@s****g.nl"

A valid SPF record for the sending mail server and none DKIM record.

The domain fo***de.com has a valid SPF and DKIM record.


Example 1

Result:


Example 2

Result:


So when I send the email using a sender (on behalf of) the DMARC fails and the mail is not delivered.

Is there a explanation for this and maybe a solution to send emails on behalf of a domain which contains a DMARC reject policy and have a valid SPF for the sending mailserver?

Edit:

[Screenshot results...][1]


Solution

  • I have a feeling, it's failing on your ADKIM and ASPF Tests of DMARC. If SPF and DKIM passes, then it must be failing on both alignment tests.

    Read this to understand more about Identifier Alignments

    I seen several cases where there DKIM Validator is coded wrong and it will fail DMARC when it fails 1 alignment test, but both must fail according to the RFC Standards.

    The only alignment tester I know about is this email tester, if you post the full headers of the sent emails. It'll be much easier to understand what might be wrong. You're only sharing part of the information and it's impossible to make a 100% accurate assessment. But I'm 80% confident the issue is with the alignment.

    Based on the image you linked of your headers, I added an "a" to the beginning and "1" to the end so bots don't spam you.

    Return-Path = response@afo***de1.com
    DKIM Signature = d=afo***de1.com
    From = info@as**g1.nl 
    

    So for ADKIM alignment to Pass the "from" domain must match the "d=" domain of the dkim signature

    info@as**g1.nl <> afo***de1.com
    

    For the ASPF Alignment to pass the "return-path" domain must match the "from" domain

    afo***de1.com <> as**g1.nl 
    

    One of those need to match in order for DMARC to pass.