How can SPF/DKIM pass, and yet DMARC fail?

DMARC introduces the concept of "Identifier Alignment" to the world of email.  The concept is needed as SPF and DKIM are stand-alone technologies capable of associating a domain with a piece of email. When a receiver uses SPF, the receiver looks at the domain found in the RFC5321.MailFrom to figure out where to look for an SPF record.  The RFC5321.MailFrom address is the entity that is passed along as part of the "MAIL FROM" command during the SMTP conversation.  To…
dmarcian
12 October 2015
Industry News

More Yahoo domains move to p=reject

Yahoo is placing ymail.com and rocketmail.com into p=reject on November 2nd. This information is being provided to give people and companies time to prepare, as the #1 piece of feedback from when Yahoo moved yahoo.com to a p=reject was that Yahoo didn't let the Internet know about the move in advance. Hopefully, this announcement will ease any pain that users of ymail.com and rocketmail.com might have when sending email from infrastructure that is not authorized by Yahoo.
dmarcian
12 October 2015

Broken SPF.. what does it mean?

People sometimes write in and ask "what is the impact of a broken SPF record"? The net effect of a broken SPF record is that receivers can't reliably use SPF to determine the legitimacy of the domain's email.  *Some* receivers might ignore the broken parts of an SPF record and keep checking, but out of the box all SPF implementations will barf, and you'll be left with a record that is introducing uncertainty into email performance. We've discovered an odd…
dmarcian
10 October 2015

PTR mechanisms in SPF records

If PTR mechanisms are detected, the current diagnostic output is: Warning: PTR mechanisms SHOULD NOT be used and cannot be resolved using this diagnostic tool.  More info at <this page!>. What does the PTR mechanism mean?  When an email receiver gets a piece of email and the PTR mechanism is in the sender's SPF record, the receiver will look at the incoming IP address and do a "PTR" lookup.  For example, if the sender is sending email from IP address…
dmarcian
9 October 2015
dmarcian Tools

Meaning of “WARNING: No A or AAAA records found”

If you publish an SPF record and use the a mechanism, but your domain doesn't actually have an A record in place, then you'll see this warning. Here's a sample SPF record that contains the a mechanism (the a is in bold): v=spf1 a include:_spf.google.com ~all The A DNS record is how you use the DNS to associate an IP address with your domain.  The AAAA DNS record (also called "quad-A") is used to associate an IPv6 address with your…
dmarcian
8 October 2015
dmarcian Tools

Meaning of “No DMARC reports received yet which confirm DKIM signing”

Users sometimes ask What does "No DMARC reports received yet which confirm DKIM signing" mean? dmarcian uses DMARC-XML data to detect the presence of DKIM signatures.  There is no straight-forward way to query the internet for the presence of DKIM signatures, and so dmarcian relies on the contents of DMARC-XML reports to provide information on DKIM signatures. Given the above, there are 4 reasons why you might see this message: DKIM hasn't been implemented with the domain's source(s) of email. DKIM…
dmarcian
7 October 2015