Re: DMARC-DKIM alignment not correct

Steflstefan · ‎09-20-2022

Why is the DKIM alignment "false" in the DMARC check although the DKIM check itself results in a pass?

Here is an example:
From header: Microsoft Azure <azure-noreply@microsoft.com>
Mon Sep 19 15:59:36 2022 Info: MID 93466907 SPF: mailfrom identity azure-noreply@microsoft.com Pass (v=spf1)
Mon Sep 19 15:59:36 2022 Info: MID 93466907 DKIM: pass signature verified (d=microsoft.com s=s1024-meo i=azure-noreply@microsoft.com)
Mon Sep 19 15:59:36 2022 Info: MID 93466907 DMARC: Message from domain microsoft.com, DMARC pass (SPF aligned True, DKIM aligned False)

Another example where the DKIM result and the DMARC-DKIM alignment are congruent:
From header: MxToolBox <noreply@mxtoolbox.com>
Mon Sep 19 09:12:44 2022 Info: MID 93428189 SPF: mailfrom identity bounce+19864e.9c403-sven=endoo.ch@mxtoolbox.com Pass (v=spf1)
Mon Sep 19 09:12:44 2022 Info: MID 93428189 DKIM: pass signature verified (d=mxtoolbox.com s=mailo i=@mxtoolbox.com)
Mon Sep 19 09:12:44 2022 Info: MID 93428189 DMARC: Message from domain mxtoolbox.com, DMARC pass (SPF aligned True, DKIM aligned True)

Looks like a bug to me.

Best regards
Stefan

ArjanBroekhuizen · ‎09-29-2022

Hello Stefan,

As far as I know, DMARC will pass when SPF or DKIM is passed. In your example of Microsoft.com, the SPF is passed, so DMARC will also pass.

Read https://www.sparkpost.com/blog/dmarc-howto/ about this. There is written:

In order for a message to pass DMARC validation, the message must pass only one of the two authentication and alignment checks. So, a message will pass DMARC validation if any of the following are true:
- The message passes SPF checks and the RFC5322.From domain and Return-Path domain are in alignment, or
- The message passes DKIM validation and the RFC5322.From domain and DKIM d= domain are in alignment, or
- Both of the above are true

Kind regards,
Arjan

Steflstefan · ‎10-10-2022

Sorry Arjan,

you're right but this is not the point.
Both checks (SPF + DKIM) are passed.
But at the 1st example the DMARC shows the SPF as True and the DKIM as False.
Same check results at 2nd example, SPF + DKIM passed.
DMARC shows SPF and DKIM as True.

Same check results before but different output in DMARC? I think that's not ok what is shown at DMARC.
We planned to use the authentication header for further rules, but if the results in this header are incorrect so we can't use them.

Regards
Stefan

ArjanBroekhuizen · ‎10-11-2022

Hello Stefan,

I see, I thought that that DKIM was not aligned in both cases. I read the post to quickly...

davido140 · ‎06-27-2024

very old post, but I've been going round in circles with this for a few days, DKIM 100% aligned, log says verified, but then DMARC check says not alligned for DKIM. but the domain 100% matches

TAC came up with this

CSCvn65193 : Bug Search Tool (cisco.com)

Symptom: Dmarc Verification process skip to check alignment for DKIM if SPF passed and aggregate reports are not enabled. A mail log entry contains confusing information that 'DKIM aligned False' . The information about skipped check is only seen at Debug level for mail logs. A confusing log entry: Tue Dec 11 14:18:30 2018 Info: MID 346 DKIM: pass signature verified (d=ciscolab.local s=taclab i=@ciscolab.local) Tue Dec 11 14:18:30 2018 Info: MID 346 DMARC: Message from domain ciscolab.local, DMARC pass (SPF aligned True, DKIM aligned False ) Tue Dec 11 14:18:30 2018 Info: MID 346 DMARC: Verification passed Conditions: Sending aggregate reports not enabled for DMARC and bot SPF and DKIM verification pass. Workaround: Enable Sending aggregate reports under Mail Flow Policy or enable new Mail Log subscription at Debug level. Further Problem Description: No real impact only confusing log entry. An exact reason can be verified at Debug level within your mail logs.

looks like enabling aggregate reports for the mail flow profile will fix it.