Posts

Email authentication is a crucial aspect of an email provider’s job. Email authentication also known as SPF and DKIM checks the identity of an email provider. DMARC adds to the process of verifying an email by checking if an email has been sent from a legitimate domain through alignment, and specifying to receiving servers how to respond to messages failing authentication checks. Today we are going to discuss the various scenarios that would answer your query on why is DMARC failing.

DMARC is a key activity in your email authentication policy to help prevent forged “spoofed” emails from passing transactional spam filters. But, it’s just one pillar of an overall anti-spam program and not all DMARC reports are created equal. Some will tell you the exact action mail receivers took on each message, and others will only tell you if a message was successful or not. Understanding why a message failed is as important as knowing whether it did. The following article explains reasons for which messages fail DMARC authentication checks. These are the most common reasons (some of which can be easily fixed) for which messages can fail DMARC authentication checks.

Common Reasons Why Messages Can Fail DMARC

Identifying why is DMARC failing can be complicated. However I will go over some typical reasons, the factors that contribute to them, so that you as the domain owner can work towards rectifying the problem more promptly.

DMARC Alignment Failures

DMARC makes use of domain alignment to authenticate your emails. This means that DMARC verifies whether the domain mentioned in the From address (in the visible header) is authentic by matching it against the domain mentioned in the hidden Return-path header (for SPF) and DKIM signature header (for DKIM). If either matches, the email passes DMARC, or else DMARC fails.

Hence, if your emails are failing DMARC it can be a case of domain misalignment. That is neither SPF nor DKIM identifiers are aligning and the email is appearing to be sent from an unauthorized source. This however is just one of the reasons why is DMARC failing.

DMARC Alignment Mode 

Your protocol alignment mode also plays a huge role in your messages passing or failing DMARC. You can choose from the following alignment modes for SPF authentication:

  • Relaxed: This signifies that if the domain in the Return-path header and the domain in the From header is simply an organizational match, even then SPF will pass.
  • Strict: This signifies that only if the domain in the Return-path header and the domain in the From header is an exact match, only then SPF will pass.

You can choose from the following alignment modes for DKIM authentication:

  • Relaxed: This signifies that if the domain in the DKIM signature  and the domain in the From header is simply an organizational match, even then DKIM will pass.
  • Strict: This signifies that only if the domain in the DKIM signature and the domain in the From header is an exact match, only then DKIM will pass.

Note that for emails to pass DMARC authentication, either SPF or DKIM need to align.  

Not Setting Up Your DKIM Signature 

A very common case in which your DMARC may be failing is that you haven’t specified a DKIM signature for your domain. In such cases, your email exchange service provider assigns a default DKIM signature to your outbound emails that doesn’t align with the domain in your From header. The receiving MTA fails to align the two domains, and hence, DKIM and DMARC fails for your message (if your messages are aligned against both SPF and DKIM).

Not Adding Sending Sources to Your DNS 

It is important to note that when you set up DMARC for your domain, receiving MTAs perform DNS queries to authorize your sending sources. This means that unless you have all your authorized sending sources listed in your domain’s DNS, your emails will fail DMARC for those sources that are not listed, since the receiver would not be able to find them in your DNS. Hence, to ensure that your legitimate emails are always delivered be sure to make entries on all your authorized third party email vendors that are authorized to send emails on behalf of your domain, in your DNS.

In Case of Email Forwarding

During email forwarding the email passes through an intermediary server before it ultimately gets delivered to the receiving server. During email forwarding SPF check fails since the IP address of the intermediary server doesn’t match that of the sending server, and this new IP address is usually not included within the original server’s SPF record. On the contrary, forwarding emails usually don’t impact DKIM email authentication, unless the intermediary server or the forwarding entity makes certain alterations in the content of the message.

As we know that SPF inevitably fails during email forwarding, if in case the sending source is DKIM neutral and solely relies on SPF for validation, the forwarded email will be rendered illegitimate during DMARC authentication. To resolve this issue, you should immediately opt for full DMARC compliance at your organization by aligning and authenticating all outgoing messages against both SPF and DKIM, as for an email to pass DMARC authentication, the email would be required to pass either SPF or DKIM authentication and alignment.

Your Domain is Being Spoofed

If you have your DMARC, SPF and DKIM protocols properly configured for your domain, with your policies at enforcement and valid error-free records, and the problem isn’t either of the above-mentioned cases, then the most probable reason why your emails are failing DMARC is that your domain is being spoofed or forged. This is when impersonators and threat actors try to send emails that appear to be coming from your domain using a malicious IP address.

Recent email fraud statistics have concluded that email spoofing cases are on the rise in recent times and are a very big threat to your organization’s reputation. In such cases if you have DMARC implemented on a reject policy, it will fail and the spoofed email will not be delivered to your recipient’s inbox. Hence domain spoofing can be the answer to why is DMARC failing in most cases.

We recommend that you sign up with our free DMARC Analyzer and start your journey of DMARC reporting and monitoring.

  • With a none policy you can monitor your domain with DMARC (RUA) Aggregate Reports and keep a close eye on your inbound and outbound emails, this will help you respond to any unwanted delivery issues
  • After that we help you shift to an enforced policy that would ultimately aid you in gaining immunity against domain spoofing and phishing attacks
  • You can take down malicious IP addresses and report them directly from the PowerDMARC platform to evade future impersonation attacks, with the help of our Threat Intelligence engine
  • PowerDMARC’s DMARC (RUF) Forensic reports help you gain detailed information about cases where your emails have failed DMARC so that you can get to the root of the problem and fix it

Prevent domain spoofing and monitor your email flow with PowerDMARC, today!

When an email is sent from the sending server, directly to the receiving server, SPF and DKIM  (if set up correctly) authenticate the email normally and usually effectively validate it as legitimate or unauthorized. However, that is not the case if the email passes through an intermediary mail server before it gets delivered to the recipient, such as in the case of forwarded messages. This blog is intended to take you through the impact of email forwarding on DMARC authentication-results.

As we already know, DMARC makes use of two standard email authentication protocols, namely SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), to validate inbound messages. Let’s discuss them in brief to get a better understanding of how they function before hopping on to how forwarding can affect them.

Sender Policy Framework

SPF is present in your DNS as a TXT record, displaying all the valid sources that are authorized to send emails from your domain. Every email that leaves your domain has an IP address that identifies your server and the email service provider used by your domain that is enlisted within your DNS as an SPF record. The receiver’s mail server validates the email against your SPF record to authenticate it and accordingly marks the email as SPF pass or fail.

DomainKeys Identified Mail

DKIM is a standard email authentication protocol that assigns a cryptographic signature, created using a private key, to validate emails in the receiving server, wherein the receiver can retrieve the public key from the sender’s DNS to authenticate the messages. Much like SPF, the DKIM public key also exists as a TXT record in the DNS of the domain owner.

The Impact of Email Forwarding on Your DMARC Authentication Results

During email forwarding the email passes through an intermediary server before it ultimately gets delivered to the receiving server. Firstly it is important to realize that email forwarding can be done in two ways- either emails can be manually forwarded, which does not affect the authentication results, or it can be automatically forwarded, in which case the authentication procedure does take a hit if the domain doesn’t have the record for the intermediary sending source in their SPF.

Naturally, usually during email forwarding SPF check fails since the IP address of the intermediary server doesn’t match that of the sending server, and this new IP address is usually not included within the original server’s SPF record. On the contrary, forwarding emails usually don’t impact DKIM email authentication, unless the intermediary server or the forwarding entity makes certain alterations in the content of the message.

Note that for an email to pass DMARC authentication, the email would be required to pass either SPF or DKIM authentication and alignment. As we know that SPF inevitably fails during email forwarding, if in case the sending source is DKIM neutral and solely relies on SPF for validation, the forwarded email will be rendered illegitimate during DMARC authentication.

The solution? Simple. You should immediately opt for full DMARC compliance at your organization by aligning and authenticating all inbound messages against both SPF and DKIM!

Achieving DMARC Compliance with PowerDMARC

It is important to note that in order to achieve DMARC compliance, emails need to be authenticated against either SPF or DKIM or both. However, unless the forwarded messages get validated against DKIM, and rely on only SPF for authentication, DMARC will inevitably fail as discussed in our previous section. This is why PowerDMARC helps you achieve complete DMARC compliance by effectively aligning and authenticating emails against both SPF and DKIM authentication protocols. In this way, even if authentic forwarded messages fail SPF, the DKIM signature can be used to validate it as legitimate and the email passes DMARC authentication, subsequently landing into the receiver’s inbox.

Exceptional Cases: DKIM Fail and How to Resolve It?

In certain cases, the forwarding entity may alter the mail body by making adjustments in MIME boundaries, implementation of anti-virus programs, or re-encoding the message. In such cases, both SPF and DKIM authentication fails and legitimate emails do not get delivered.

Incase both SPF and DKIM fail, PowerDMARC is able to identify and display that in our detailed aggregate views and protocols like Authenticated Received Chain can be leveraged by mail servers to authenticate such emails. In ARC, Authentication-Results header can be passed onto the next ‘hop’ in the line of the message delivery, to effectively mitigate authentication issues while email forwarding.

In case of a forwarded message, when the receiver’s email server receives a message that had failed DMARC authentication, it tries to validate the email for a second time, against the provided Authenticated Received Chain for the email by extracting the ARC Authentication-Results of the initial hop, to check whether it was validated to be legitimate before the intermediary server forwarded it to the receiving server.

So sign up with PowerDMARC today, and achieve DMARC compliance at your organization!