Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

DMARC policy violation using Amazon SES

0

Hello,

I've setup everything as in getting started articles for Amazon SES, but I still getting errors like these - The messages violates the DMARC policy of ....com.

I'm using ...@....com as FROM and mail-1.....com as MAIL FROM.

Both have SPF records including - amazonses.com.

My DMARC record is - v=DMARC1; p=quarantine; rua=mailto:...@....com.

If you check one of the reports I provided below, it writes that second record failed, that IP doesn't belong to Amazon.

Could you explain why is that and how to solve it?

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>...</report_id>
    <date_range>
      <begin>...</begin>
      <end>...</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>....com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>93.188.3.35</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>....com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>....com</domain>
        <result>pass</result>
        <selector>...</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>...</selector>
      </dkim>
      <spf>
        <domain>mail-1.....com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>23.251.240.4</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>....com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>....com</domain>
        <result>pass</result>
        <selector>...</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>...</selector>
      </dkim>
      <spf>
        <domain>mail-1.....com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>
Themen
Frontend-Web & MobileGeschäftsanwendungenVernetzung & Bereitstellung von Inhalten.NET auf AWS
Tags
Amazon Simple Email ServiceDomain Name System (DNS).NET auf AWS
Sprache
English
DevHub
gefragt vor 2 Jahren436 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Typically when you see DKIM passing and SPF failing, it's the result of email forwarding. DNS information suggests that 93.188.3.35 is an outgoing mail server from another organization.

DMARC leverages both SPF and DKIM, so as long as either passes, DMARC passes too. It is well known that email forwarding breaks SPF, so DKIM is there to cover that scenario.

The short answer is that you can't control whether your recipients choose to forward their email, nor can you control how forwarding email servers attempt to deliver the message in a DMARC-compatible fashion, so you can't solve this scenario.

AWS
Jesse_T
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt