We recently increased to a quarantine policy and are thinking of going to reject – but we stumbled across an issue we can't seem to identify a root cause for. Specifically, forwarded e-mails appear to be having issues and we can't figure out why.
We use Mailgun for e-mail management. Our SPF is set to:
v=spf1 include:_spf.google.com include:mailgun.org ~all
And our DMARC is set to:
v=DMARC1;p=quarantine;sp=none;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=600;rua=mailto:gtc5ysbx@ag.dmarcian.com
Our most recent DMARC report looks as follows (put in as a PDF on one of our domains to preserve formatting for you): https://www.insurancetrendsresearch.com/DMARC_ITR.pdf
I'd love help trying to understand why we are suffering SPF un-alignment? It appears our DKIM and SPF records are ok – as for the most part, everything is making it through – but in some instance, we are failing on forwards (at least DMARCIAN has led us to believe it is only forwards). Wondering why?
To note – we only send mail from Google Apps and from MailGun – nowhere else at the moment.
Thanks,
Eli
Best Answer
This behavior is expected. DMARC requires that at least one of SPF or DKIM pass authentication and alignment tests. Forwarded messages will not pass SPF authentication; however, most properly forwarded messages will pass DKIM authentication (so long as the signed elements of the message are not altered).
Ensuring that your messages are properly signed using DKIM will allow forwarded messages to pass DMARC alignment tests and be delivered to the recipient inbox, despite the failure of SPF authentication due to forwarding.
For more information, please refer to Interoperability Issues between Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Indirect Email Flows.
I would also suggest moving from '~all' to '-all' if you are confident that you have identified all valid senders in your SPF record. '~all' indicates your domain is 'in transition' (essentially testing) and may not have identified all valid sources in your SPF record, while '-all' indicates that you have 'transitioned' (finished testing) any sender not listed is suspect.
Since you have published a 'p=quarantine' policy you may be receiving forensic reports at your 'ruf=mailto:...' mailbox; examining these forensic reports should provide additional information regarding the cause of misalignment (most likely forwarding). If this is the case, you should feel confident moving to a 'p=reject' policy.
Keep moving toward an SPF policy of '-all' and a DMARC policy of 'p=reject' (the ultimate goal); anything less leaves your domain unprotected.