Hello! We activated SPF and DMARC on a domain yesterday, and I don't understand why Gmail gives SPF pass but still fails our subdomains in DMARC. (I hope it's ok to ask this question here.)
This is our configuration: MD.se. TXT "v=spf1 ip4:X ip4:X ip4:X ip4:X ip4:X/24 ip4:X/24 ip4:X ip6:X ip6:X ip6:X include:X -all" _dmarc.MD.se. TXT "v=DMARC1; p=reject; sp=none; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]"; I have X:ed out lots of information, but I think that the only really relevant information is that SD.MD.se below is a subdomain of main domain MD.se. If any other information is needed, I can provide that. We don't use DKIM, but as I understand DMARC, it should be enough to get SPF pass to also get DMARC pass. Here is a test from the main domain, with the expected result: Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates X as permitted sender) [email protected]; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=MD.se But when we send emails from a subdomain to MD.se we get reject bounces: Sender: [email protected] [email protected] R=dnslookup T=remote_smtp: SMTP error from remote mail server after end of data: host gmail-smtp-in.l.google.com [64.233.162.26]: 550-5.7.1 Unauthenticated email from MD.se is not accepted due to domain's DMARC policy. Please contact the administrator of MD.se domain if this was a legitimate mail. Please visit https://support.google.com/mail/answer/2451690 to learn about the DMARC initiative. v201si1541020lfa.51 - gsmtp As I understand the concept of alignment, we have a relaxed SPF alignment between MD.se and SD.MD.se. And our DMARC policy accepts relaxed SPF alignment. So why are emails with the subdomain sender rejected when we have sp=none? Here are headers from the delivered subdomain email after changing DMARC for MD.se from p=reject to p=none: Return-Path: <[email protected]> Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of [email protected] designates X as permitted sender) [email protected]; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=MD.se From: <[email protected]> So as you can see we have no SPF record for the subdomain SD.MD.se, but we shouldn't have to publish SPF records for all server names that send server specific emails should we? (Obviously it would be good if we did, but that is a future project.) I thought that subdomain emails should be allowed by sp=none in the DMARC policy for MD.se? I'm really confused, would be grateful for help decoding this problem. Thanks! -- Peter Olsson _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
