The reports can be very helpful. But they are not that intuitive. Make sure you understand the the following. The results of SPF and DKIM sec (without considering alignment) are given in <record><auth_results><spf>/<dkim>. The results of SPF and DKIM in DMARC context (with alignment considered) are in <row><policy_evaluated><spf>/<dkim>.
SPF breaks with forwarding. So make sure both SPF and DKIM validate, and are aligned. Even though DMARC will validate when either one passes. Maarten > On 14 Mar 2021, at 08:43, Hans-Martin Mosner via mailop <mailop@mailop.org> > wrote: > > Hello, > > due to the recent GMX mail rejection incident (for which I still don't have a > satisfactory explanation from GMX) I've > enabled DMARC on our mail server in the hopes of getting better > deliverability. > > But some of our outgoing mails were rejected, and the aggregate DMARC reports > we were getting weren't too helpful (again > :-( ) > > Since this is a completely new area for me, I'm trying to make sense of the > report content, and of course I'm trying to > adjust our DNS records to limit damage. > > As far as I understand, the report contains a copy of our published policy as > well as records per sending IP. In the > report I'm just looking at, it's stated that our domain and subdomain policy > is "reject" although I changed it to > "quarantine" within the same DNS update in which I changed the rua address > from a generic one to a special receiver > address, so I know the reporter must have read the new version of the DMARC > DNS record because they sent to that special > address. > > The report also claims that SPF failed, although our SPF record included the > outgoing mailserver from the beginning, of > course. > > So this report looks like a red herring to me - not enough information to > debug what may have been wrong (ok for an > aggregate report) but also containing highly questionable data. > > I'm about to switch off DMARC off again or at least change the policy to > "none" as it seems to hurt more than help. > > What's your experience with reliability of DMARC reports? Mostly helpful? Too > much nonsense? > > Cheers, > Hans-Martin > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
