Hi Hans-Martin, On Sun 14/Mar/2021 08:43:09 +0100 Hans-Martin Mosner via mailop wrote:
Since this is a completely new area for me, I'm trying to make sense of the report content, and of course I'm trying to adjust our DNS records to limit damage.
I find it very useful to transform reports into html, so as to make them readable. I use an XSLT for that:
http://www.tana.it/sw/dmarc-xsl/
As far as I understand, the report contains a copy of our published policy as well as records per sending IP. In the report I'm just looking at, it's stated that our domain and subdomain policy is "reject" although I changed it to "quarantine" within the same DNS update in which I changed the rua address from a generic one to a special receiver address, so I know the reporter must have read the new version of the DMARC DNS record because they sent to that special address.
What Ken said is right. Allow a few days for the policy to stabilize at all receivers'.
The report also claims that SPF failed, although our SPF record included the outgoing mailserver from the beginning, of course. So this report looks like a red herring to me - not enough information to debug what may have been wrong (ok for an aggregate report) but also containing highly questionable data.
SPF fails when forwarded, DKIM fails when altered. If either succeeds, DMARC can still fail because of alignment.
Looking at IPs and at the reported SPF and DKIM identifiers, you may be able to deduce the path the relevant messages followed. Comparing the results of various report producers, taking into account where messages might have changed, you may form an educated guess of which reports are reliable. Reliable reports may suggest changes to your SPF or DKIM configuration. OTOH, if results from one reporter appear to be wrong, you should contact them and work out why. Checking reports works both ways. AFAIK, there isn't a tool to check reporting is done correctly.
For example, in the message I'm replying to neither SPF nor DKIM give a DMARC pass for heeg. That's expected, as SPF gives a pass to mailop, and the DKIM signature gets broken by some extraneous field which I cannot guess (besides the usual changes MLMs do). If you reply to me, you'd get one more aggregate report to compare.
I'm about to switch off DMARC off again or at least change the policy to "none" as it seems to hurt more than help.
Good. By the time I read your message it was p=none already. Best Ale -- _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
