Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2430
Views
0
Helpful
1
Replies

DMARC - SPF permerror, DKIM ignored?

meliux
Level 1
Level 1

‎02-12-2019 04:22 PM

Seeing an odd issue with a particular mail provider... they currently have a broken SPF record (syntax error due to an errant space character). 

In the mail logs i'm seeing evidence of the SPF check being done, but then it goes straight on to performing the DMARC verification. By rights there should also be a DKIM check prior to DMARC being called - the message does have a perfectly valid DKIM signature present in the headers.

Logs:

Wed Feb 13 09:03:07 2019 Info: MID 8323655 SPF: identity mailfrom spf record of bounce.3rdparty.com has invalid format
Wed Feb 13 09:03:07 2019 Info: MID 8323655 SPF: mailfrom identity bounces+user=mydomain.com.au@bounce.3rdparty.com PermError (v=spf1) 
Wed Feb 13 09:03:11 2019 Info: MID 8323655 SPF: pra identity user@mydomain.com.au None headers sender
Wed Feb 13 09:03:11 2019 Info: MID 8323655 DMARC: Message from domain mydomain.com.au, DMARC fail, (SPF aligned False, DKIM aligned False) DMARC policy is quarantine, applied policy is none 
Wed Feb 13 09:03:11 2019 Info: MID 8323655 DMARC: Verification failed.
Wed Feb 13 09:03:11 2019 Info: MID 8323655 DMARC: No action taken by DMARC policy.

We have SPF+DKIM+DMARC working perfectly fine with this provider when their email is sourced through other delivery networks with valid SPF, and it certainly works fine with other providers we partner with.

 

Am I missing something? Do I have a configuration setting somewhere causing this behaviour? 

I've seen in the email pipeline picture that SPF and DKIM verification is handled together (by the same engine?) and wondering whether a syntax error in either part will cause the process to abort. 

cheers. 

Labels:
0 Helpful
1 Reply 1

ppreenja
Cisco Employee
Cisco Employee

‎08-21-2019 11:58 AM

Hi Meliux,

I believe that the DKIM record for the domain must be in test mode i.e. the sending domain has the testing flag enabled.

In that scenario, we don't see any information on the DKIM in the mail logs or message tracking. Keeping this in mind the ESA hits a known defect, you can view information about the defect on the following link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc97786/

It is an enhancement request to add log entries and message tracking entries when the DKIM signature is in test mode.

I hope the above information helps!

Cheers,
Pratham
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents