EmailDiscussions.com - View Single Post

n5bb · 29 Sep 2018, 01:50 PM

I'm very sorry, but my reply is very long. I wanted to give you some background so you can examine the headers and understand what might be causing your missing messages (or messages in the spam folder). Email senders using some behaviors which worked in past years will find their messages classified as likely spam due to the wide acceptance of the DMARC (and future ARC) standards.

The tag Email failed DMARC policy for domain was caused by the following:

The owner of the From domain has published (in their DNS records) a DMARC policy. This policy suggests to email systems who receive messages sent with a From address in their domain a policy. The policy results (when received at Fastmail) might be:
- NONE (no DMARC policy - no action is taken)
- NEUTRAL (to be interpreted like NONE - no action is taken)
- SOFTFAIL (typically the message is accepted but tagged as failed)
- FAIL (the message should be rejected -- not necessarily actually discarded by Fastmail, but the From domain is requesting this action)
The owner of the From domain has probably published (in their DNS records) a SPF policy. This lists the IP addresses of servers which are allowed to send email for this domain.
The sending server which was used to send that message has probably added a DKIM-Signature header which contains an encrypted signature. If the message is not corrupted (accidentally or by a spoofer) during transmission, the DKIM signature should agree with the message contents after a cryptographic test.
The Fastmail DMARC test of the message will pass if either the DKIM or SPF test passes. If DMARC fails then both the DKIM and the SPF tests failed.
The DMARC test requires proper domain name alignment.

To troubleshoot the message you describe, try the following:

Examine the full headers of that message (as received at Fastmail).
Look at the first few lines of the Authentication-Results header (not any similarly named headers).
The test results you need to check in that header are:
- dmarc=fail (followed by details about the published domain and subdomain DMARC policy and the header.from domain checked)
- dkim= (might be pass or fail). Look for header.d (signing domain which has published the encryption key in their DNS records).
- spf= (might be softfail or fail)
Since the DMARC policy failed, both the DKIM and the SPF test failed. The reason for this failure might be:
- SPF failure: The sender might have used a From address for a domain which does not support (via SPF) sending from the SMTP sending server they used. For example, using a Gmail From address but sending from a Yahoo server.
- SPF failure: The message might have been forwarded. Forwarding breaks the SPF test.
- DKIM failure: The sending server might have not have properly signed the message.
- DKIM failure: The message might have been corrupted during transmission, which can cause the DKIM test to fail. The DKIM test ensures that the message content you receive is what the sender actually sent.
- Alignment failure: DMARC only passes if either DKIM or SPF passes and the addresses are aligned (see the link I gave earlier to learn about alignment). So if DKIM passes but the domain used for the encryption isn't aligned with the From domain, DMAC will fail due to alignment failure.

DMARC failure is leading to the X-Spam-known-sender: no header (which indicates that address book whitelisting was not used). The reason for the 0.0 spam score is that the spam score is always zero or a positive number. If the spam score adds up to a negative value, the X-Spam-score result will be 0.0.

My guess is that the sender sent the message from an email client and forced the From address to be different from any domain associated with the sending server. This can lead to both SPF and alignment failure, leading to DMARC test failure. Such innocent spoofing of the From address worked for many years in most email systems, but it doesn't work reliably now because of the wide acceptance of DMARC tests. Gmail, Yahoo, and other big email domains are pushing for acceptance of DMARC so that their customers can trust email sent and received by their customers.

A newer email security system (ARC) is still under development and that's why you see those ARC received headers for information only at this time in Fastmail. ARC is an improved version of DMARC. See:
https://dmarc.org/2018/09/working-gr...specification/

Bill

29 Sep 2018, 01:50 PM	#5
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,926	SPF, DKIM, and DMARC details I'm very sorry, but my reply is very long. I wanted to give you some background so you can examine the headers and understand what might be causing your missing messages (or messages in the spam folder). Email senders using some behaviors which worked in past years will find their messages classified as likely spam due to the wide acceptance of the DMARC (and future ARC) standards. The tag Email failed DMARC policy for domain was caused by the following: The owner of the From domain has published (in their DNS records) a DMARC policy. This policy suggests to email systems who receive messages sent with a From address in their domain a policy. The policy results (when received at Fastmail) might be: NONE (no DMARC policy - no action is taken) NEUTRAL (to be interpreted like NONE - no action is taken) SOFTFAIL (typically the message is accepted but tagged as failed) FAIL (the message should be rejected -- not necessarily actually discarded by Fastmail, but the From domain is requesting this action) The owner of the From domain has probably published (in their DNS records) a SPF policy. This lists the IP addresses of servers which are allowed to send email for this domain. The sending server which was used to send that message has probably added a DKIM-Signature header which contains an encrypted signature. If the message is not corrupted (accidentally or by a spoofer) during transmission, the DKIM signature should agree with the message contents after a cryptographic test. *The Fastmail DMARC test of the message will pass if either* the DKIM or SPF test passes. If DMARC fails then both the DKIM and the SPF tests failed. The DMARC test requires proper domain name alignment. To troubleshoot the message you describe, try the following: Examine the full headers of that message (as received at Fastmail). Look at the first few lines of the Authentication-Results header (not any similarly named headers). The test results you need to check in that header are: dmarc=fail (followed by details about the published domain and subdomain DMARC policy and the header.from domain checked) dkim= (might be pass or fail). Look for header.d (signing domain which has published the encryption key in their DNS records). spf= (might be softfail or fail) Since the DMARC policy failed, both the DKIM and the SPF test failed. The reason for this failure might be: SPF failure: The sender might have used a From address for a domain which does not support (via SPF) sending from the SMTP sending server they used. For example, using a Gmail From address but sending from a Yahoo server. SPF failure: The message might have been forwarded. Forwarding breaks the SPF test. DKIM failure: The sending server might have not have properly signed the message. DKIM failure: The message might have been corrupted during transmission, which can cause the DKIM test to fail. The DKIM test ensures that the message content you receive is what the sender actually sent. Alignment failure: DMARC only passes if either DKIM or SPF passes and the addresses are aligned (see the link I gave earlier to learn about alignment). So if DKIM passes but the domain used for the encryption isn't aligned with the From domain, DMAC will fail due to alignment failure. DMARC failure is leading to the X-Spam-known-sender: no header (which indicates that address book whitelisting was not used). The reason for the 0.0 spam score is that the spam score is always zero or a positive number. If the spam score adds up to a negative value, the X-Spam-score** result will be 0.0. My guess is that the sender sent the message from an email client and forced the From address to be different from any domain associated with the sending server. This can lead to both SPF and alignment failure, leading to DMARC test failure. Such innocent spoofing of the From address worked for many years in most email systems, but it doesn't work reliably now because of the wide acceptance of DMARC tests. Gmail, Yahoo, and other big email domains are pushing for acceptance of DMARC so that their customers can trust email sent and received by their customers. A newer email security system (ARC) is still under development and that's why you see those ARC received headers for information only at this time in Fastmail. ARC is an improved version of DMARC. See: https://dmarc.org/2018/09/working-gr...specification/ Bill