Join Log in
Score:1
avatar Server

DMARC failure for delivery report

us flag
andi

I have a Docker-based mail server (Mailu) setup. It's working great except for delivery reports which are sent automatically (one of the user mailboxes is full and a "Quota exceeded" notification is sent to the sender).

The reports are rejected by the recipient due to DMARC failure:

This is an email abuse report for an email message received from IP xxx.xxx.xxx.xxx on Tue, 28 Sep 2021 05:16:31 +0000. The message below did not meet the sending domain's dmarc policy.

The header of the rejected message:

Feedback-Type: auth-failure
User-Agent: Lua/1.0
Version: 1.0
Original-Mail-From: 
Original-Rcpt-To: [email protected]
Arrival-Date: Tue, 28 Sep 2021 05:16:31 +0000
Message-ID: <[email protected]>
Authentication-Results: dmarc=fail (p=reject; dis=reject) header.from=domainB.com
Source-IP: xxx.xxx.xxx.xxx
Delivery-Result: reject
Auth-Failure: dmarc
Reported-Domain: domainB.com

The mailserver runs on mail.domainB.com, has domainA.com configured, and the email is sent to [email protected].

SPF is configured for both domains:

  • Domain A: v=spf1 a mx include:domainB.com -all
  • Domain B: v=spf1 a mx include:_spf.google.com include:servers.mcsv.net include:relay.mailchannels.net -all

DMARC for both: v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];adkim=s;aspf=s;fo=1;

MX for both domains is mail.domainB.com and the PTR record for the IP "xxx.xxx.xxx.xxx" points to srv.domainB.com. All domains run on and point to the same server.

I suspect a DNS/DMARC configuration error but I can't point it out. Do I need to include the domain domainB.com in the SPF as well (see header.form).

Edit: Some messages contain a message body (in addition to the header above):

Received-SPF: None (no SPF record) identity=no SPF record; client-ip=xxx.xxx.xxx.xxx; helo=mail.domainB.com; envelope-from=<>; receiver=<UNKNOWN> 
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.hostpark.net F224D16527
Received: by mail.domainB.com (Postfix)
    id 61B3BDFF1; Wed, 29 Sep 2021 06:16:50 +0000 (UTC)
Date: Wed, 29 Sep 2021 06:16:50 +0000 (UTC)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="25F89DFEB.1632896210/mail.domainB.com"
Message-Id: <[email protected]>

Could anyone point me in the right direction? Much appreciated, thanks!

107
0 + 0
spf
sebix avatar
ie flag
sebix
`the email is sent to [email protected]` I assume the mail is sent *from* [email protected] *to* [email protected]?
0
Reply
us flag
andi
@sebix The original email was some email from Linkedin. As the user mailbox is full, the mailserver (Mailu) sends a bounce back to `[email protected]`. Per definition the FROM of the bounce is empty I assume or `domainA.com` as `header.form` let's suspect. As it fails DMARC that bounce get's rejected.
0
Reply
Score:1
avatar Server
us flag
andi

The fix appeared to be quite easy. The SPF record had more than 10 lookups and therefore it was synthetically correct but was interpreted as invalid. The solution was to remove one of the include:.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.