DMARC/SPF/DKIM无法通过第三方邮件进行身份验证 [英] DMARC/SPF/DKIM not authenticating with third-party mail
问题描述
我们最近为我们的域实施了DMARC记录:
"v = DMARC1; p =隔离区; pct = 100; rua = mailto:me@mydomain.com"
(隔离未经身份验证的电子邮件的100%,并将汇总报告发送给我")
我们使用第三方供应商发出邀请.供应商从Invitations@invites.vendordomain.com发送电子邮件,然后通过邮件中继"smtp3.mailrelaydomain.it"发送电子邮件.我也知道邮件中继使用一个IP地址.
该地址包含在我们的SPF记录中:
"v = spf1 ... [其他邮件服务器的SNIP参考SNIP] ... ip4:[邮件中继的IP地址]〜all"
当我使用供应商的服务发送邀请时,邮件将被隔离.
当我查看DMARC汇总报告时,看到邀请:
- 被识别为来自SPF授权的服务器
- 通过发件人域(invites@invites.vendordomain.com)的原始SPF身份验证
- 通过邮件中继域(smtp3.mailrelaydomain.it)的原始DKIM身份验证
- 针对mydomain的DKIM和SPF的DMARC身份验证失败
这是邀请函中的示例标头.
示例电子邮件标题
Delivered-To: someone@mydomain.com
Received: by 10.64.252.9 with SMTP id zo9csp100581iec;
Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
X-Received: by 10.55.195.147 with SMTP id r19mr12995508qkl.12.1445452813709;
Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
Return-Path: <invites@invites.vendordomain.com>
Received: from smtp3.mailrelaydomain.it (smtp3.mailrelaydomain.it. [ip for mail relay])
by mx.google.com with ESMTP id w15si9297939qha.131.2015.10.21.11.40.13
for <someone@mydomain.com>;
Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of invites@invites.vendordomain.com designates [mail relay ip] as permitted sender) client-ip=[mail relay ip];
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of invites@invites.vendordomain.com designates [mail relay ip] as permitted sender) smtp.mailfrom=invites@invites.vendordomain.com;
dkim=pass header.i=@mailrelaydomain.it;
dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=mydomain.com
Received: from FS-S05.vendorparentdomain.com (unknown [vendor parent ip])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp3.mailrelaydomain.it (Postfix) with ESMTPSA id 23387A0CBC
for <someone@mydomain.com>; Wed, 21 Oct 2015 15:07:35 -0400 (EDT)
DKIM-Signature: [DKIM Content]
Content-Type: multipart/alternative;
boundary="===============2166944298367943586=="
MIME-Version: 1.0
Subject: Please take our survey
From: Me <me@mydomain.com>
To: Someone Else <someone@mydomain.com>
Cc:
Date: Wed, 21 Oct 2015 18:39:48 -0000
Message-ID: <20151021183948.27448.90706@FS-S05.vendorparentdomain.com>
List-Unsubscribe: [unsubscribe link],
<mailto:invites@invites.vendordomain.com>
Reply-To: Me <me@mydomain.com>
X-Sender: invites@invites.vendordomain.com
我认为问题与邮件中的发件人"域有关,而该域与邮件信封的域不匹配;但是,供应商无法更改其设置(即信封将始终来自供应商域),因此与DMARC一起使用的任何机会都必须从我这里解决.
知道SPF记录可以(并且确实)将邀请标识为来自SPF授权服务器时,是否可以添加其他设置或记录以确保对来自供应商的邀请进行DMARC认证?
已阅读了几篇在线文章和 "DMARC -spf和DKIM记录查询" 我怀疑我很走运,但是为了确定我需要明确/特定地问这个问题.
谢谢
您是正确的,除非供应商可以更改某些内容,否则您很不走运.失败的是标识符对齐- https://tools.ietf.org/html/rfc7489#第3.1节-因为通过身份验证的内容(通过SPF邀请invites.vendordomain.com)与用户看到的域(me@mydomain.com)不匹配,因此该消息正确地使DMARC失败了. >
共有三个选项:
-
停止在供应商处发送域的发件人:"标头;您仍然可以使用带有您自己地址的Reply-To:标头.
-
让供应商将邮件从与您的域对齐.如果他们不这样做,他们将无法通过DMARC,在某个时候,他们将希望通过DMARC,否则人们会找到其他解决方案.您可以让它们发送带有vendorname.mydomain.com的信封,并且可以为该子域设置指向它们的MX以支持退回处理.这已经是BCP了一段时间了.
-
已使用DKIM进行供应商签名,并为我们提供了对齐的DKIM签名.这也是最佳的惯例.您只需要通过SPF或DKIM即可通过,并且DKIM传递比SPF更有价值(因为它们在许多情况下都可以继续转发),所以如果您是我,这是我个人优先考虑的选择.
大约在2012年和2013年,许多供应商都反对这两种选择,但是老实说,我很久没见过供应商了(我将100%的日常工作花在DMARC上)支持至少对齐的DKIM.
We recently implemented a DMARC record for our domain:
"v=DMARC1; p=quarantine; pct=100; rua=mailto:me@mydomain.com"
(quarantine 100% of non-authenticated emails and send aggregate report to "me")
We use a third-party vendor to issue invites. The vendor sends email from invites@invites.vendordomain.com which is then sent through a mail relay "smtp3.mailrelaydomain.it". I also know that the mail relay uses a single ip address.
That address is included in our SPF record:
"v=spf1 ...[SNIP reference for other mail servers SNIP]... ip4:[ip address for the mail relay] ~all"
When I send an invite using the vendor's service, the message is quarantined.
When I view the aggregate DMARC report I see that the invite:
- is recognized as being from an SPF-Authorized Server
- passes raw SPF authentication for the sender's domain (invites@invites.vendordomain.com")
- passes raw DKIM authentication for the mail relay domain (smtp3.mailrelaydomain.it)
- Fails DMARC authentication for both DKIM and SPF for mydomain
Here is a sample headers from an invite.
BEGIN SAMPLE EMAIL HEADER
Delivered-To: someone@mydomain.com
Received: by 10.64.252.9 with SMTP id zo9csp100581iec;
Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
X-Received: by 10.55.195.147 with SMTP id r19mr12995508qkl.12.1445452813709;
Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
Return-Path: <invites@invites.vendordomain.com>
Received: from smtp3.mailrelaydomain.it (smtp3.mailrelaydomain.it. [ip for mail relay])
by mx.google.com with ESMTP id w15si9297939qha.131.2015.10.21.11.40.13
for <someone@mydomain.com>;
Wed, 21 Oct 2015 11:40:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of invites@invites.vendordomain.com designates [mail relay ip] as permitted sender) client-ip=[mail relay ip];
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of invites@invites.vendordomain.com designates [mail relay ip] as permitted sender) smtp.mailfrom=invites@invites.vendordomain.com;
dkim=pass header.i=@mailrelaydomain.it;
dmarc=fail (p=QUARANTINE dis=QUARANTINE) header.from=mydomain.com
Received: from FS-S05.vendorparentdomain.com (unknown [vendor parent ip])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp3.mailrelaydomain.it (Postfix) with ESMTPSA id 23387A0CBC
for <someone@mydomain.com>; Wed, 21 Oct 2015 15:07:35 -0400 (EDT)
DKIM-Signature: [DKIM Content]
Content-Type: multipart/alternative;
boundary="===============2166944298367943586=="
MIME-Version: 1.0
Subject: Please take our survey
From: Me <me@mydomain.com>
To: Someone Else <someone@mydomain.com>
Cc:
Date: Wed, 21 Oct 2015 18:39:48 -0000
Message-ID: <20151021183948.27448.90706@FS-S05.vendorparentdomain.com>
List-Unsubscribe: [unsubscribe link],
<mailto:invites@invites.vendordomain.com>
Reply-To: Me <me@mydomain.com>
X-Sender: invites@invites.vendordomain.com
I believe the issue is related to the from domain in the message not matching the domain for the message envelope; however, the vendor is unable to change their settings (i.e., envelope will always be from the vendor domain) so any chance of this working with DMARC will have to come from my end.
Knowing that the SPF record can (and does) identify the invite as being from an SPF-Authorized Server, are there any other settings or records I can add to also ensure DMARC authentication for invites from the vendor?
Having read several online articles and "DMARC -spf and DKIM record queries" I suspect I am out of luck, but need to ask the question plainly/specific to my situation just to be sure.
Thanks
You are correct, you are out of luck unless the vendor can change something. What is failing is Identifier Alignment - https://tools.ietf.org/html/rfc7489#section-3.1 - because what is being authenticated (invites.vendordomain.com via SPF) does not align to the domain the user sees (me@mydomain.com) and the message then, correctly, fails DMARC.
There are three options:
Stop sending with a From: header of your domain at the vendor; you can still use a Reply-To: header with your own address.
Have the vendor align the mail from to your domain. If they don't do this they can't pass DMARC, and at some point they will want to pass DMARC or people will find other solutions. You can have them send with an envelope from of vendorname.mydomain.com and you can set up an MX for that subdomain that points to them to support bounce processing. This has been BCP for a while.
Have the vendor sign with DKIM and us an aligned DKIM signature. This is also best common practice. You only need SPF or DKIM to pass, and DKIM passes are more valuable (because they survive forwarding in many cases) than SPF, so this is the option I would personally prioritize if I were you.
Back in like 2012 and 2013 a lot of vendors pushed back against both of these options, but I honestly haven't seen a vendor in a long time (I spend 100% of my day job on DMARC) that won't support at least aligned DKIM.
这篇关于DMARC/SPF/DKIM无法通过第三方邮件进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
