DMARC test failed but we didn’t find any obvious reason why; DMARC not passing while SPF and DKIM do

dmarcemailopendmarc

About 7 days ago, I found out on https://www.mail-tester.com that sometimes (50% of my tries over a couple of days) my company email does not pass DMARC test. As it states it does not know why, I am helpless right now and don't really understand what is happening.

I get this message:

The DMARC test failed but we didn't find any obvious reason why.
If you recently modified your DNS, please wait a few hours and then test again.

DMARC DNS entry found for the domain _dmarc.vlastimilburian.cz:

"v=DMARC1; p=reject; adkim=s; aspf=s"

Verification details:

  • mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=vlastimilburian.cz header.i=@vlastimilburian.cz header.b=CefZgBpZ; dkim-atps=neutral

  • mail-tester.com; dmarc=none header.from=vlastimilburian.cz

  • mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=vlastimilburian.cz header.i=@vlastimilburian.cz header.b=CefZgBpZ; dkim-atps=neutral

  • From Domain: vlastimilburian.cz

  • DKIM Domain: vlastimilburian.cz

I have a ProtonMail premium plan with one custom domain and a single email address. My domain DNS is protected with DNSSEC.

I have DKIM (DomainKeys Identified Mail – wiki) also.

My SPF record is a hard-fail:

v=spf1 include:_spf.protonmail.ch mx -all

Strange thing is, both SPF, and DKIM are passing:

DMARC not passing while SPF and DKIM do

I did not modify my DNS in 3 days, is there any other possible reason for DMARC to fail?

Update 2019-May-27

I got a reply from the Mail-Tester.com's staff:

Thank you for sharing this link. I'm afraid I quite still don't understand the answer over there… Basically, it says everything is OK and DMARC should pass… isn't it? If so, I'm afraid it does not help much… we use the famous OpenDMARC library to analyze DMARC and the "we didn't find any obvious reason why" is generated when OpenDMARC says your email does not pass DMARC while our own test does not find anything wrong.

Could this possibly be an error in OpenDMARC, should I report it?

I tried the test now, and it passed.

Additionally, I sent a message to my Gmail free-mail with PASS results:

gmail test

Best Answer

As we can read from the results:

  • SPF verification passes, and the domain used in envelope sender matches the From header.
  • DKIM verification passes with a matching d=.

This means you have a passing DMARC alignment from both, while only one is required. Based on that we can blame mail-tester.com for analysing it incorrectly.

Related Topic