DMARC Failures – Strange Characters in DNS Checkers for DKIM and SPF

cloudflaredmarcdomain-name-systemspf

Emails sent from all 3 email addresses I have set up in the Rackspace Cloudways Add-On are ending up in Spam in GMail.

When I "View Original Message" in GMail, I see…

SPF:    NEUTRAL with IP 173.203.187.81
DMARC:  'FAIL'

… where 173.203.187.81 is an IP address Rackspace.

My DNS provider is CloudFlare.

There is a DMARC policy set up, which is the following…

_dmarc.boldstatements.com.au    v=DMARC1; p=none; ruf=mailto:[email protected]; rua=mailto:[email protected]

Cloudways provided me with this DKIM TXT record…

20220817-maluhsjy._domainkey    v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0PqtvPuYkElqS+b80iEj4aepAdf6n+CDXRFTG/1Q8RMdw/D6hNmQpv8FCTyIuplZt/qTxBbBFrPLJK5tp7bqkSEG2YpPSnHDCGihaOCsRkJP0aAbnuQRmjHq6H0yCwtJKjRhW7H4pbjx9/LA6dXIaw4N1emtSLWcGejVrhVZ+CwIDAQAB

When I use dnschecker.org and a few other DNS lookup tools, to look at my TXT records I get the following strange output…

\239\187\191v=spf1 a mx include:_spf.elasticemail.com include:emailsrvr.com -all

These characters \239\187\191 are definitely not in the TXT record in CloudFlare.

CloudWays' support claims that these characters are causing the DMARC to fail, but since they don't appear on other DNS checkers such as https://mxtoolbox.com/ and https://www.whatsmydns.net/, and since SPF is returning "neutral", I suspect they are actually a bug in https://dnschecker.org/ and the DNS checker that Cloudways support are using.

Any thoughts?

NOTES

Thanks to Patrick Mevzek's answer below I was able to find a solution.

Just a quick description of how I ended up in this mess in the first place: Basically I copy pasted the values of the DNS records from a Cloudways support chat window straight into Cloudflare.

And to remove the characters I needed to copy the value from Cloudflare into Notepad++, change the encoding to ANSII, which made the extraneous characters appear, delete them, then change back to UTF-8 (just in case), and paste back into CloudFlare.

Best Answer

FWIW,

\239\187\191 is DNS encoding of 3 bytes of decimal values 239, 187, 191 which maps in hexadecimal to EF BB BF, which is the UTF-8 encoding of Unicode codepoint U+FEFF, which is ZERO WIDTH NO-BREAK SPACE

I suspect this TXT record was created by copy and pasting from somewhere and some "smart" behavior and obviously the space is not visible on screen in some UI but did land up in the TXT record.

This has to be cleaned, aka removed.

As for:

These characters \239\187\191 are definitely not in the TXT record in CloudFlare.

and

but since they don't appear on other DNS checkers such as https://mxtoolbox.com/ and https://www.whatsmydns.net/,

I suspect that various systems (mistakenly but there is unfortunately no standard there at all, DNS was invented far before Unicode/UTF-8 and then lots of things like SPF just decided to abuse TXT records) just consider the TXT record content to be a string in UTF-8 so they decode it and display it, but obviously the "zero-width space" is not visible on any HTML page.

A better UI would take care of that and display that properly and/or warn about it. An even better UI would even more so just remove that character when the record is added, since it is obviously wrong here (but the obvious in TXT record is limited… you have to see it is v=spf1 or similar and then act accordingly). Which now gives me a good idea on what I should fix in my own UI, thanks for the idea :-)

Related Topic