On Mon, 04 Apr 2016 14:24:09 -0700 Alan Hodgson wrote: > On Monday, April 04, 2016 11:09:12 PM A. Schulze wrote: > > > As "RW" pointed out: The message has a dkim signature mx.aol.com but > > RFC5322.From is the /parent/ domain > > That does not align and dmarc will not pass. It's AOL's fault. > > > > Andreas > > I really believe that's incorrect. Relaxed alignment specifically > means you can sign with a subdomain's key or use a subdomain for SPF. > > Read sections 3.1.2 and 10.4 of that same document, for instance.
It sounds like dmarc relaxations break some existing DKIM and SPF usage. The original email quoted hit the DMARC rule because it hit DKIM_VALID rather than DKIM_VALID_AU, so presumably the DKIM whitelist rules wouldn't work correctly either.