Mobile app version of vmapp.org
Login or Join
Shelton105

: Sent emails pass SPF and DKIM, but fail DMARC when received by Gmail Gmail is marking my email messages as Spam. The messages pass SPF and DKIM, but fail DMARC. Is there some way to make

@Shelton105

Posted in: #Dkim #Email #Gmail #Spf

Gmail is marking my email messages as Spam. The messages pass SPF and DKIM, but fail DMARC. Is there some way to make my messages pass DMARC?

I recently signed up for WordPress hosting at Flywheel, which uses Mandrill for transactional email. My site has several forms that send email notifications when they are submitted.

I am attaching the raw source of a sample message:

Delivered-To: xxxxx@seesawsf.com
Received: by 10.36.109.5 with SMTP id m5csp1332570itc;
Sun, 1 Feb 2015 23:03:34 -0800 (PST)
X-Received: by 10.236.2.6 with SMTP id 6mr7036797yhe.179.1422860614601;
Sun, 01 Feb 2015 23:03:34 -0800 (PST)
Return-Path: <bounce-md_30068542.54cf2145.v1-57b0f565d61f4314ae4398e41d1cf6f7@mandrillapp.com>
Received: from mail128-15.atl41.mandrillapp.com (mail128-15.atl41.mandrillapp.com. [198.2.128.15])
by mx.google.com with ESMTPS id g67si3643342yhd.195.2015.02.01.23.03.34
for <xxxxx@seesawsf.com>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 01 Feb 2015 23:03:34 -0800 (PST)
Received-SPF: pass (google.com: domain of bounce-md_30068542.54cf2145.v1-57b0f565d61f4314ae4398e41d1cf6f7@mandrillapp.com designates 198.2.128.15 as permitted sender) client-ip=198.2.128.15;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of bounce-md_30068542.54cf2145.v1-57b0f565d61f4314ae4398e41d1cf6f7@mandrillapp.com designates 198.2.128.15 as permitted sender) smtp.mail=bounce-md_30068542.54cf2145.v1-57b0f565d61f4314ae4398e41d1cf6f7@mandrillapp.com;
dkim=pass header.i=@mail128-15.atl41.mandrillapp.com;
dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=seesawsf.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=mandrill; d=mail128-15.atl41.mandrillapp.com;
h=From:Sender:Subject:To:Message-Id:Date:MIME-Version:Content-Type; i=info@mail128-15.atl41.mandrillapp.com;
bh=Jt6YNkQAh5eG3xb1p6nYqPNm8rQ=;
b=HwSrIhBVCHMWd2/PMVTb49MJ/nrtEXVsIbV5wIzMyVNPiaCzmI5t5JkPM+E00Ug6CziUbTgUGM2o
M/2W3jq43+EYjXGmVatW1Q3GcnErPc14WQr3b0FtCJFeTxVKR3wublilVvWyA9oRtTqsgyWc0Mlj
0LrqrPb6UXTPre52Fog=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=mandrill; d=mail128-15.atl41.mandrillapp.com;
b=qx6ydLL6hfTwC7h8XIW5C6jwtBHZ2R/5g8cCE60yXMxhLbH+fD5fc4kLXYNR6Ok5qlwvMKkG/aU5
2/AQkTHLHxsq7fmVBpDFnxI1R2T1vBkYZ6StFnkhQp1tHUTfGrj+5j5K8+msc+qiIktNRSeL12JD
egxGpd+2goJerCPfGsQ=;
Received: from pmta04.atl01.mandrillapp.com (127.0.0.1) by mail128-15.atl41.mandrillapp.com id hpsgkc1mqukr for <xxxxx@seesawsf.com>; Mon, 2 Feb 2015 07:03:34 +0000 (envelope-from <bounce-md_30068542.54cf2145.v1-57b0f565d61f4314ae4398e41d1cf6f7@mandrillapp.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandrillapp.com;
i=@mandrillapp.com; q=dns/txt; s=mandrill; t=1422860613; h=From :
Sender : Subject : To : Message-Id : Date : MIME-Version : Content-Type
: From : Subject : Date : X-Mandrill-User : List-Unsubscribe;
bh=3BX+Ypp8U/OwrT6jZiEJ7HZzbu5vXIAOTBSMt9pdT/c=;
b=D4qNdklkpV8zM74TZFQ8CkUy8N3zJesDWFWnNN6qAZ4eqW3WTCjg0W7Sooks5h+IiqC55Z
2DbpzSC1GuNMDFbmxzUTeWXyA1QU/TpDrpHnd9D9qDLiflNTmWcrwKlT6U8Bp00d+itgq9bv
ZhmZZ2+vY3fe3rFHv26UKwvdusFmg=
From: seesaw registration <xxxxx@seesawsf.com>
Sender: seesaw registration <info@mail128-15.atl41.mandrillapp.com>
Subject: [removed]
Return-Path: <bounce-md_30068542.54cf2145.v1-57b0f565d61f4314ae4398e41d1cf6f7@mandrillapp.com>
X-Sg-User: flywheelxxxxx
X-Sg-Opt: PWD=/www
X-Php-Originating-Script: 0:class-phpmailer.php
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
To: <xxxxx@seesawsf.com>
Message-Id: <410d02299d22f05ab4d859c2a733e836@seesawsf.flywheelsites.com>
Received: from [162.243.115.105] by mandrillapp.com id 57b0f565d61f4314ae4398e41d1cf6f7; Mon, 02 Feb 2015 07:03:33 +0000
X-Report-Abuse: Please forward a copy of this message, including all headers, to abuse@mandrill.com
X-Report-Abuse: You can also report abuse here: mandrillapp.com/contact/abuse?id=30068542.57b0f565d61f4314ae4398e41d1cf6f7 X-Mandrill-User: md_30068542
Date: Mon, 02 Feb 2015 07:03:33 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_av-S0IDuFcF1O5aP8YpCVA_Kg"

--_av-S0IDuFcF1O5aP8YpCVA_Kg
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

[ removed message content ]

--_av-S0IDuFcF1O5aP8YpCVA_Kg
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

[ removed message content ]

--_av-S0IDuFcF1O5aP8YpCVA_Kg--

10.03% popularity Vote Up Vote Down


Login to follow query

More posts by @Shelton105

3 Comments

Sorted by latest first Latest Oldest Best

 

@Kevin317

The issue is caused by inconsistent between return-path and header From:.

Return-Path: mandrillapp.com

From: @seesawsf .com


SPF and DKIM check the domain using RFC5321.MailFrom (generally Return-Path:)
DMARC checks the domain using RFC5322.MailFrom (header From:)


Ref: space.dmarcian.com/how-can-spfdkim-pass-and-yet-dmarc-fail/
If the domain is different, DAMRC cannot authenticate the sender event though
SPF and DKIM are passed and the authentication will be failed.

In this case, SPF and DKIM authenticate mandrillapp.com not for seesawsf.com.

As a workaround, Retrun-Path and Header From are needed to be the same domain or DMARC will be failed.

10% popularity Vote Up Vote Down


 

@Sent6035632

You'll need to add a Mandrill DKIM record for your domain. The SPF and DKIM pass, but it's based on messages being authenticated for mandrillapp.com, not your domain (ie, the Return-Path domain is being used for message authentication). In order to authenticate as your domain, and in turn pass the DMARC alignment check, you need both SPF and DKIM for the "from" domain. Here's information about the DKIM record to add: help.mandrill.com/entries/22030056-How-do-I-add-DNS-records-for-my-sending-domains-
Once you do that, the Mandrill account owner (in your case Flywheel), will need/want to validate those records in Mandrill, so that Mandrill knows both are valid and can start signing messages for your domain (this can be done within the account or via the Mandrill API).

10% popularity Vote Up Vote Down


 

@Nimeshi995

Domain-based Message Authentication, Reporting & Conformance (DMARC) is being adopted by many major email providers like Google, Yahoo, Hotmail, AOL and others. As can be read about here, it's aimed at standardizing email authentication through SPF and DKIM mechanisms already being used by most mail servers.

Adding a DMARC policy record is very similar to adding SPF and DKIM records: you would add a TXT record to your domain's DNS table using the tags listed here by Google. An example they provide is:

v=DMARC1; p=none; rua=mailto:postmaster@your_domain.com


Checking the DNS records for your domain, I see there hasn't been a DMARC record added yet:

v=spf1 +a +mx include:_spf.google.com include:servers.mcsv.net include:spf.mandrillapp.com -all


Details on how to add a TXT record for Mandrill and common DNS Providers can be found here.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme