SPF, DKIM and DMARC configured, yet other mail servers can send mails.
Posted by Ok-Card-7219@reddit | sysadmin | View on Reddit | 11 comments
Around a month ago, we changed mail servers from Ionos to a local company where they run their own mail server, we manage everything through a cPanel. We use this mail server for personal accounts, while we use Exchange Online for business shared accounts, such as sales.
I configured SPF to allow both our mailserver and Microsoft servers, like this:
v=spf1 a mx ip4:OurMailServerIP include:spf.protection.outlook.com -all
Also added the DKIM registers for our mailserver and exchange online, no extra server other than this.
Selector1/2 domainkeys for Exchange Online
For DMARC, it's configured on quarantine and sending reports to DMARCeye.
My question is: If I configured only so a specific IP and Microsoft mail servers are verified mail servers, why do mail servers like ovh.net, eurodns.com, orange.fr, google.com and 10+ send mails that pass dkim/dmarc, even though they fail spf?
Thank you in advance.
GamerLymx@reddit
if they pass dói-me, you need new keys, and maybe new selectors
dhardyuk@reddit
Nope.
If they create new emails that pass DKIM you need new keys because your keys have been compromised.
If they are forwarding email that passes DKIM, that is by design and nothing is wrong.
It’s good practice to rotate your DKIM keys, but not awful if you do it infrequently. OP doesn’t need to panic.
GamerLymx@reddit
the devil in the details, email forwarded from google with SRS will be signed by google dkim key. op should confirm.old keys aren't published in the dns.
dhardyuk@reddit
Every day’s a school day.
I did not know that.
Ok-Card-7219@reddit (OP)
All keys/selectors are from around a month ago when we switched mail servers, so all good I guess.
Thank you for your input!
freddieleeman@reddit
This is called indirect mail flow and occurs when messages are (automatically) forwarded by recipients. While this process breaks SPF, the DKIM signature remains valid, allowing DMARC to pass as intended. This behavior is by design and does not require any changes. For a deeper understanding of DMARC fundamentals, check out my free resource: learnDMARC.com.
Ok-Card-7219@reddit (OP)
I see, that does make sense. I've used learnDMARC.com while I was configuring everything to check if I did it correctly. Thank you very much!
freddieleeman@reddit
I also wrote a blog explaining the different types of failures and what they mean: DMARC Aggregate Reports Explained.
Ok-Card-7219@reddit (OP)
That's awesome, I'll give it a read, thank you!
tacotacotacorock@reddit
Awesome resources. Many people get confused on the topic.
cqdx73@reddit
Interesting