FM DMARC Test Results for Gmail Alias
 

Background and Setup:
Google Apps email is used with my own domain set, eg as "gardenweed.com".
SPF, DKIM, DMARC are all setup for this domain. Tests show they work correctly.
DMARC policy is set as quarantine.
In addition, the email address "joe@gardenweed.com.au" is setup in the Google Apps email account as a verified alias.

FM account is used.
DNS for my domain is hosted at FM, eg gardenweed.com.au
SPF, DKIM, DMARC are all setup for this domain. Tests show they work correctly.
DMARC policy is set as quarantine.

Action:
An email is written in Google Apps using the account gardenweed.com.
The email "from" is selected to be the be the alias "joe@gardenweed.com.au"
The email is sent to addresses at FM, Hotmail, Yahoo, Gmail.
Yahoo, Gmail and Hotmail act on the DMARC policy. If DMARC authentication fails, the email should go to spam.
FM carries out the DMARC authentication test, but takes no action at this stage.

Results:
In the above case I get the following results:
• Yahoo passes DMARC and delivers email to inbox.
• Hotmail passes DMARC and delivers email to inbox. The From headers are not aligned but Hotmail says the requirement is relaxed.
• Gmail fails DMARC because the From headers are not aligned and Gmail filters the email to spam (gardenweed.com <> gardenweed.com.au )
• FM fails DMARC. It goes to inbox - this is understood. FM does not currently act on DMARC policy.

Questions
My questions are :
1) Why do Yahoo and Hotmail appear to accept the alias and pass DMARC authentication, whereas Gmail and FM say that the DMARC authentication has failed?

2) Does it make any sense that a verified alias in Gmail should pass a DMARC test?

Either the SPF or DKIM Alignment must pass, even if the SPF is unaligned, your DKIM should be aligned and that would cause DMARC to pass.

Take a look at: Identifier Alignments

Thanks - I'll take a look at this.

Today I have incoming mail from a mailing list failing DMARC and tripping "ME_DMARC_QUARANTINE" which gives it a spam-score of 8 (is that rule new?)

It's failing because the list is breaking the dkim signature for these particular messages because they're being sent as html (gah, some people!) and the list is converting them to plain text before relaying them (I know this because they have an X-Converted-To-Plain-Text header). SPF passes but that's for the list's Return-Path and smtp.helo domain, not the domain in the From header, which means it doesn't count (I think? DMARC is hard).

What can/should I do about this? Just keep marking them as Not Spam until my bayes learn and subtract enough from the score?

(semi-hijacking this thread because there's already a few DMARC threads and I don't want to start another!)

FastMail seems to have enabled several DMARC related features within the past few days. I just sent a message to Fastmail staff about an issue I have with disabling whitelisting and treatment of DMARC when a policy is not published. I think there are still some bugs, and I will point the Fastmail staff to your post so they can comment.

It seems to me that mailing lists (as currently popularly implemented) can cause both SPF and DKIM to fail, which means that sending messages from a domain which has a DMARC policy through such a mailing list server will cause the forwarded messages to be blocked when received at an email system which follows DMARC policy. Email lists might become obsolete unless they can be improved. SPF probably will continue to fail, but you would think that DKIM could be made to work properly if forwarding didn't rewrite the message body.

Bill

Do you know what it is that they have turned on?
I just rec'd an email that had these headers:

X-Spam-Score: 0.0
X-Spam-known-sender: no, "Email failed DMARC policy for domain"

It was to a subscribed list.
The From address is Whitelisted (ie in my Address Book).
The X-Spam-known-sender says "no", which appears to be incorrect.
It ended up in my Inbox correctly, even though DMARC failed.

Yep, I have whitelisted contacts failing DMARC and receiving a spam score. Here is the raw message: "Email failed DMARC policy for domain". This is a work domain which has given us no problem up to now.

DMARC failure will cause whitelisting to be ignored. This is on purpose, since the spammer may be spoofing a From address. There were two recent problems in the past week or so which Fastmail staff discovered after being informed of some spam filing problems:

• Address book whitelisting was disabled for some messages, even though they passed the DMARC test. This failure was erratic, and I believe it was fixed a few days ago.
• Some messages from domains which are not publishing any DMARC records were classified as failing DMARC authentication. I think this will be fixed within the next day or two.

So wait another day or two and see if you see see DMARC failures. Some forwarding services may break DMARC if they corrupt the DKIM signature or message contents, and they will probably break SPF. Either DKIM or SPF must pass for DMARC to pass.

Bill

Most messages to this particular list are getting through fine and passing DMARC (including my own sent from fastmail). It's just messages that the list server needs to mess which ends up breaking dkim. For example if it converts an html message to text/plain, or strips an attachment.

Although, some lists add footers to the bottom of every message (this particular list doesn't), I don't know how they will get around that.

Something else I'm seeing is that fastmail seems to default to p=reject if the domain in From: doesn't exist. This happens when people posting to mailing lists have their From address as something like user@REMOVETHISexample.com or user@example.net.REMOVE.au

That's a bug I reported which they are fixing. If the domain has no DMARC published record things haven't been working correctly for a few days.

Bill

Ignoring DMARC failure
 

I've given up on DMARC. It's completely useless as too many domains have incorrect policies, even ones who should know better**. After three weeks the false positive rate for messages that have failed DMARC is close to 100%. Granted, this isn't really fastmail's fault as they are only doing what they're told to by the domains' DMARC policies.

So I've modified my sieve rules to ignore DMARC failures. The best way I could think to do this, was in the first sieve rules box (above the auto-generated spam rules) put:

Fastmail's pre-filled spam rules are below that.

In the second box, after the spam rules, I put:

This wraps fastmail's spam rules so they only get run if no DMARC rule was triggered. If a DMARC rule was triggered, and the policy was quarantine, it checks the message for a spam-score of 13, so the message needs a natural spam score of 5 in addition to the 8 added by the ME_DMARC_QUARANTINE rule. And if the rule is reject, same thing, except the threshold is 20 as the message needs a natural spam score of 5 in addition to the 15 added by ME_DMARC_REJECT.



**Case in point: Google was one of the co-conspirators who forced this upon the world, and yet the google.com domain has a p=reject policy, even though their employees use their @google.com address to post to mailing lists that break DKIM. John Levine of the IETF, and a contributor to RFC 7489, says "Reject policy is fine [...] for companies with firm staff policies that [...] employees don't join mailing lists and the like using company addresses".

If they can't get this right, who will?

Reviving this old post.
Could it be that fastmail has changed the text in the headers?
I disabled DMARC handling with the same sieve rules like in the post above
However, since some time Ilots of mails gets misfilled in my Junk mail folder because of DMARC policy failures.

Looking at the raw messages, it looks like "ME_DMARC_QUARANTINE" in X-Spam-Hits has been relabeled to "ME_QUARANTINE" (probably same for _REJECT)

Can anybody confirm?