Hi Thomas,
It's not immediately clear from your edits whether the results that you are
showing are from the same <row> of the DMARC report; my guess is that they're
not. Assuming that my guess is correct: it's worth bearing in mind that a DMARC
aggregate report is just that: a report aggregating information about all of
the email messages that the Receiver has seen purporting to be from your
organisation during the report period (almost always 24 hours). To keep things
at a reasonable size, the report groups message reports that have identical
dispositions etc. into a single <row> with a <count>, instead of providing a
row per message. When interpreting the report, it is important to view each
<row> as though it were a completely separate report from the same Receiver.
The other thing that occasionally creates confusion is the difference between:
- the authentication results (whether a particular authentication evaluation
returned true or false at the SPF/DKIM level), and
- the effective authentication result when evaluating policy (a pass for an
unrelated domain will be treated as a fail for DMARC evaluation purposes;
similarly parent vs. child domains if you're using different policies for
sub-domains).
- Roland
----------
From: dmarc-discuss <[email protected]> on behalf of Thomas
Krichel via dmarc-discuss <[email protected]>
Sent: Tuesday, 5 July 2016 15:41
To: DMARC-discuss
Subject: [dmarc-discuss] exegesis: pass and fail together
Hi gang,
I am new to DMARC. Google have sent me a report that I attach.
I am puzzled by what I am reading. About DKIM
<dkim>
<domain>openlib.org</domain>
<result>pass</result>
</dkim>
<dkim>
<domain>openlib.org</domain>
<result>fail</result>
</dkim>
How can it fail and pass at the same time?
Then about SPF
<record>
<row>
<source_ip>2a01:4f8:190:62e8::68</source_ip>
<count>7</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>openlib.org</header_from>
</identifiers>
<auth_results>
...
<spf>
<domain>lists.openlib.org</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
How can it say that the SPF fails in the policy evaluated,
but later say it passes. Could this be me posting to a mailing
list, with the from: saying [email protected], but forwarded
by lists.openlib.org? 2a01:4f8:190:62e8::68 is SPF authorized to
send mail for both lists.openlib.org and openlib.org, so this
would still be puzzling.
--
Cheers,
Thomas Krichel http://openlib.org/home/krichel
skype:thomaskrichel
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
