Why does legitimate email fail DMARC even when doing everything right?

Key findings

• Inherent DMARC behavior: Legitimate email failures are an expected part of how DMARC operates, even when all configurations are seemingly correct.
• Message modifications: Programmatic message forwarding or modifications (e.g., adding "scanned for viruses" signatures) by intermediate mail transfer agents (MTAs) can break DKIM signatures or SPF authentication, leading to DMARC failures.
• DNS issues: Transient DNS failures or rate-limiting on DNS platforms can prevent SPF and DKIM checks from completing successfully, causing legitimate mail to fail DMARC.
• Service provider behaviors: Some email service providers (ESPs) or internal systems may send legitimate emails with configurations that inherently cause DMARC misalignment, such as automated AmazonSES DKIM signatures alongside custom ones.
• Policy interpretation: A DMARC failure does not automatically mean an email is illegitimate; it signifies a failure of the authentication checks. Understanding why DMARC fails when SPF and DKIM pass is essential.

Key considerations

• DMARC report analysis: Utilize DMARC reports (RUA and RUF) to gain visibility into authentication failures. These reports provide data on IP addresses, sending domains, and failure types, which can help diagnose issues. Learn how to interpret DMARC reports.
• Authentication standards: Ensure your SPF and DKIM records are correctly configured and aligned with your sending domain. A robust setup is the first line of defense against DMARC failures for legitimate mail. This is part of dealing with DMARC failures.
• Forwarding and third-party services: Be aware that email forwarding often breaks SPF and DKIM, leading to DMARC failures. When using third-party sending services, confirm their DMARC compliance and proper alignment configurations.
• Gradual DMARC enforcement: Start with a DMARC policy of p=none to monitor the impact before moving to stricter policies like p=quarantine or p=reject, allowing time to identify and fix legitimate failures.
• Transient failures: Some DMARC failures are transient (e.g., temporary DNS lookup issues) and not indicative of spoofing. Differentiating these from persistent issues requires careful analysis of DMARC reports over time.

Key opinions

• Regular occurrence: Legitimate DMARC failures happen regularly, and DMARC reports are the primary tool for understanding their frequency and causes within a mailstream.
• Forwarding breaks DMARC: Automated email forwarding, such as between Gmail and Google Workspace accounts, is a known cause of DMARC failure for legitimate emails because it often breaks SPF and DKIM authentication.
• In-transit modifications: Intermediate mail servers adding headers like "scanned for viruses" can invalidate DKIM signatures, leading to DMARC failure even for valid messages. This highlights the sensitivity of DKIM to content changes.
• Misconfiguration vs. spoofing: DMARC failure does not inherently mean an email is spoofed. It can indicate misconfigurations by the sender or their host, issues with services not aligning properly, or transient DNS lookup problems.
• Shared IP challenges: On shared IP addresses, especially with services like Amazon SES, automated DKIM signatures from the ESP's domain can conflict with a sender's authenticated DKIM, causing alignment failures for otherwise legitimate emails.

Key considerations

• DMARC policy deployment: A p=none policy can be instrumental in identifying DMARC failure modes for legitimate mail before moving to more restrictive policies. This allows for safe observation of email authentication outcomes.
• Diagnosing volume: A small number of DMARC failures for authenticated senders might be expected, but a high volume of failures should trigger an investigation into potential security breaches, misconfigurations, or unauthorized sending services.
• Strict syntax enforcement: Some receiving systems, like ProofPoint, may reject messages due to syntax errors in DMARC records, even if these errors are against RFC guidelines. Senders need to ensure strict adherence to RFCs for robust deliverability.
• Sender and receiver perspective: Senders might be alerted to issues by bounces, while receivers might notice when users don't get expected emails. Both perspectives are valuable for fixing DMARC fail errors.
• System-triggered mail: Be aware that system-triggered emails or test messages from services like Amazon SES may inherently cause DMARC failures if their authentication differs from bulk mail, even if the 5322.From domain is correct.

Key opinions

• Expected behavior: DMARC's design inherently allows for legitimate emails to fail authentication and be rejected or quarantined, even when best practices are followed.
• No change indication: Neither an SPF failure nor a DKIM failure necessarily indicates that a message has been altered. These failures can occur due to other factors like DNS lookup issues.
• Legitimate mail definition: Deploying DMARC doesn't make previously legitimate email illegitimate. Redefining legitimate solely as passes DMARC is a misrepresentation.
• Semantic meaning: DKIM's primary purpose is to associate a responsible domain with an email message, not to verify content integrity against any modification. A DKIM failure, in isolation, holds no semantic meaning.
• Operational reality: Competent professionals acknowledge that DMARC will occasionally reject legitimate mail. Careful sender practices can reduce this rate to negligible levels, but receivers must expect some senders to have legitimate failures.

Key considerations

• DMARC feedback importance: The defining feature of DMARC is its feedback reports, which allow senders to identify false positives for legitimate email. This instrumentation is critical for diagnosing and mitigating issues. This helps in troubleshooting DMARC failures.
• Protocol understanding: Many DMARC issues stem from a misunderstanding of the underlying SPF and DKIM protocols' semantics. A deeper technical background can prevent misinterpretations and ensure effective deployment.
• Transient DNS failures: DNS flakiness, both at small and large scales, can cause transient DMARC failures. These are often horses and zebra cases where legitimate messages fail for unknown, temporary reasons. For more on this, check out demystifying SPF TempError.
• IP address correlation: When investigating DMARC failures, check if the failed messages originated from the same IP addresses and 5322.From domains as the passing ones. This can strongly indicate legitimate mail being impacted by DMARC.
• ARC adoption: While DMARC has its limitations, Authenticated Received Chain (ARC) is emerging as a solution to preserve authentication results across forwarding hops, aiming to mitigate some of these legitimate DMARC failures.

Key findings

• RFC compliance: Email authentication protocols like SPF and DKIM are defined by RFCs, and DMARC builds upon their principles. Understanding what RFCs say about email headers and body can clarify expected behaviors.
• DKIM modification handling: DKIM protocol explicitly attempts to differentiate between bytewise-identical and semantically identical messages to account for normal in-transit rewrites that don't signify malicious activity.
• SPF policy mechanisms: SPF mechanisms (e.g., softfail, hardfail) allow domain operators to indicate how receiving servers should handle mail that doesn't pass SPF checks.
• DMARC feedback system: DMARC's design includes feedback reporting (Aggregate and Forensic reports) precisely because it anticipates and aims to help identify legitimate mail that fails authentication due to various factors, not just spoofing.

Key considerations

• Interpreting SPF results: SPF evaluates the sending IP against authorized senders. A SPF failure means the IP isn't authorized, but it doesn't inspect message content. However, DMARC combines this with DKIM alignment.
• DKIM public key retrieval: For DKIM verification, the public key must be fetched from DNS. Network issues preventing this fetch can lead to DKIM authentication failures, which in turn cause DMARC failures, even if the message's signature and content are intact. For more information, see why DKIM fails.
• DMARC policy application: The DMARC policy (p=none, quarantine, reject) dictates the action taken on non-compliant messages. A reject policy, while strong for security, will result in legitimate message loss if any authentication fails.
• DomainKeys history: The development of DomainKeys (precursor to DKIM) included extensive efforts to avoid requiring content hashes. The necessity of a hash highlights the inherent challenge of authenticating messages that undergo normal in-transit modifications.