Hello,
On 17th Nov we started to get authentication failure reports (DMARC) from recipients / customers which are using services of vadesecure / open-exchange.
I think open-exchange is mail provider and vadesecure provide some technology for mail filtration.
We have DKIM records for aws ses domain and DMARC policy which state that failed authentication should got to junk. (soft)
It was working fine until 17th November. We did not have any recent changes to mail content, domain or aws ses configuration.
We contacted customer (using domain pointed to open-exchange MX servers) which is not tech savy.
Because that emails are core of product we are offering their failure is not great.
On 21st i send email to open-exchange but there is no answer from them.
Today i contacted vadesecure but their support said that abuse team is processing only requests from their online form WHICH require to verify ip address of sender e.g. (AWS SES IP) which is obviously not possible.
We do not have any paid support from AWS and it was never required for anything for far.
We only get report like that:
Feedback-Type: auth-failure
User-Agent: mtabuilder/1.0
Version: 1
Original-Mail-From: XXXXXXX0@amazonses.com
Original-Envelope-Id: XXXXXXXXXXXXXX
Authentication-Results: oxsus-vadesecure.net; dmarc=fail (p=quarantine) header.from=XXXXXX <messages@XXXXXX.com>
Auth-Failure:
Arrival-Date: Sat, 19 Nov 2022 17:50:01 +0000
Source-IP: 54.240.8.195
Reported-Domain: XXXX
Received: from a8-195.smtp-out.amazonses.com ([54.240.8.195]) by oxsus1nmtai02p.internal.vadesecure.com with ngmta id a6942fe6-17290db34cc8b7bf; Sat, 19 Nov 2022 17:50:00 +0000
On 18th i got similar reports for different product which is using infusion soft for marketing emails but again from vadesecure. there we have DKIM authentication for domains too.
We do not have issues with any other major mailbox provider (gmail, microsoft, yahoo and etc).
Having different providers failing because of vadesecure filtering indicate that probably vadesecure has something special .. which is more strict than most of the world.
DMARC policy which we have for all domains is
v=DMARC1; p=quarantine; sp=quarantine; pct=100; adkim=r; aspf=r; rua=mailto:XXXXX; ruf=mailto:XXXXX; fo=1;
Any advices are appreciated.