Join Log in
Score:0
Bob5421 avatar Server

How can it be possible dkim fails whereas spf pass

hm flag
Bob5421

I have set up a postfix which sends emails.

I have configure spf, dkim and dmarc (with p=none).

I have checked with mail-tester: spf and dkim work fine.

I have set up a dmarc rua in order to receive dmarc reports.

I have seen something strange in rua reports:

Sometimes SPF and DKIM are OK.

And sometimes DKIM fails (whereas SPF is good). My question is: How can this be possible ?

Thanks

131
0 + 0
spf
Paul avatar
cn flag
Paul
There can be many reasons for this, so more information is required to answer your question. Does the RUA report fail only with specific receiving servers? Does it ever pass with those servers? See if you can get a user account there and send emails to see why DKIM fails. Does all of your mail get sent by the same server? You might have a server sending mail that isn't configured correctly.
1
Reply
Bob5421 avatar
hm flag
Bob5421
It is specific for some receiving server. But it works for other servers. I don't know how dkim can work on some receiving server and not on other. If my dkim configuration was wrong it will never work, for any server. Thanks
0
Reply
vn flag
ceejayoz
@Bob5421 Consider providing examples with the full output, with headers, of a simple test email to a recipient that works, and one that does not.
3
Reply
Paul avatar
cn flag
Paul
Ideally, you get the headers of the email that is failing the test.
1
Reply
Tilman Schmidt avatar
bd flag
Tilman Schmidt
"If my dkim configuration was wrong it will never work, for any server." This statement is patently wrong. There are configuration problems which may break DKIM selectively for some but not all receiving servers.
3
Reply
Score:2
Tilman Schmidt avatar Server
bd flag
Tilman Schmidt

SPF and DKIM are completely different mechanisms which can fail independently. SPF checks whether the host delivering a message is allowed to send mail with that sender domain. DKIM checks whether the mail was authorized by the domain owner.

So all four OK/FAIL combinations are possible:

  • SPF ok, DKIM ok: The mail is delivered to its destination by a server that is authorized to send mail from that domain, and its DKIM signature validates correctly.
  • SPF ok, DKIM fail: The mail is delivered by an authorized server but validation of its DKIM signature fails, for example because the key is invalid or unavailable.
  • SPF fail, DKIM ok: The mail's DKIM signature validates correctly but the sending server is not authorized to deliver it, for example because it has been forwarded.
  • SPF fail, DKIM fail: The mail is neither coming from an authorized sending server nor does its DKIM signature validate, for example because its sender domain is spoofed.
0 + 0
occasl avatar
nl flag
occasl
What do mail servers do in the case of bullets 2 and 3? If one passes, is that enough? We see a lot of quarantining when sending to Microsoft Exchange, in the case of 3; however, other mail servers are fine. Could that be the reason why?
0
Reply
Tilman Schmidt avatar
bd flag
Tilman Schmidt
For most mail server software this is configurable, so everything is possible.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.