DMARC failing when MFA email from Okta being sent through SendGrid - dns

I'm quite new to this so please excuse my ignorance, but I've been trying to enable DMARC on our domain but am encountering "fails" when I enable the TXT rule on our DNS.
For context, an MFA verification email is sent from Okta, through SendGrid to the recipient, with a "from address" of our domain.com and a "return-path" ending in #sendgrid.net. The entry I enabled was:
v=DMARC1; p=none; rua=mailto:DmarcReport#domain.com; aspf=r; fo=1
I initiated the process and sent the resulting MFA email to a personal outlook.com account for testing and found this excerpt in the header. What am I missing? Thanks in advance!!
Header contents
My original DMARC entry didn't have an ASPF value. I've added one since, but I always thought that the default was "r" if not specified anyway. Apologies, not quite sure how to display the header contents outright instead of the link.

DMARC, for SPF alignment, requires the domain used in the Return-Path address (a.k.a. bounce address or smtp.mailfrom) to be the same as the domain in the FROM address, in Strict mode. When you set the aspf tag to relaxed mode, DMARC still requires the Return-Path address and FROM address to share the same organization domain.
For example, where the Retrun-Path address is me#a.domain.com and the FROM address is you#b.domain.com, this will satisfy the alignment check for DMARC (both share the domain.com organizational domain), when the SPF alignment is set to relaxed, not when set to strict (because the domains do not exactly match).
For DMARC compliant emails via SendGrid, you should follow this guide for setting up authentication for custom domains.
Last note: For future reference, your question is better suited for the ServerFault forum than the Stack Overflow forum, where you would also have gotten (or found) a an answer to this specific question, faster.

Related

What is minus a in a spf record

I have a client that have a spf record i don't understand.
The record is like this:
"v=spf1 a:domain.tld -a:gmail.com -a:googlemail.com -ip4:xx1.yy1.zz1.xx -ip4:xx2.yy2.zz2.xx include:spf.mandrillapp.com include:servers.mcsv.net ?all"
I have changed the ip's to x y and z, but it is real ips and the domain i also real and not domain.tld.
What does the minus in -a: and -ip4: do? does it have a function or is it wrongly setup?
I would like to clean up - can I just remove them? They use mailchimp, so I will just keep the 2 includes.
The relevant bits of the RFC are 4.6.2 and 5.3. Roughly
- means 'fail', i.e. reject any sender that matches this rule
a: means 'all IP addresses that this hostname resolves to'
So the intention of the rule appears to be to prevent anyone using gmail to send email from this domain, presumably because they used Google G-Suite for email at one time but have then stopped.
However I don't think that will work: Google's SPF configuration is more complicated than that and uses 'include:' to pick up lists of addresses specified by Google. I'd be surprised if all of their mailservers hosted the gmail web app too. So my guess would be that this doesn't actually work as-is, and so can be safely deleted.
Ditto the -ipv4 means don't allow this IP address to send email for your customer's domain. Chances are that's OK to go too, but you should verify what the IP address represents e.g. starting with a WHOIS lookup to see who (or which ISP) it's registered to.

Gmail Email Client and SPF Records

I am in the process of migrating our staff's email client from Window's Live Mail to Gmail. I have gone through the process of connecting each staff's email from our domain to their respective Gmail accounts (so each staff has two valid email addresses, e.g. bob.our_domain#gmail.com and bob#our_domain.com). I am able to receive and send mail from the linked account, but emails sent from bob#our_domain.com are tagged with an alarming red question mark and read "Gmail could not verify that our_domain.com actually sent this message (and not a spammer) ". I understand that this is an error with SPF configuration but for the life of me cannot figure out what the correct configuration looks like.
The domain in questions is evergreensupplyonline.com.
Step 1 - Ensure SPF is enabled.
Our server is managed through cPanel, so I navigate to the authentication tab and enable both DKIM and SPF. The default SPF record is
v=spf1 +a +mx +ip4:166.62.38.87 ~all
Sending email with this configuration generates the error: SOFTFAIL with IP 208.109.80.60. Seems reasonable enough, the IP isn't listed and the ~all specifies a soft fail for unknown IPs (as far as I am aware)
Step 2 - Add the sender's IP to the SPF record
I add 208.109.80.60 to the record and my SPF record becomes
v=spf1 +a +mx +ip4:166.62.38.87 +ip4:208.109.80.60 ~all
Sending email with this configuration still generates a SOFTFAIL error but with a different IP (208.109.80.60). Based on this change I assume I won't be able to add a static IP for all of google's mail servers - not too much of a surprise.
Step 3 - Add Google's _spf domain
Following the instructions from https://support.google.com/a/answer/33786?hl=en
I removed 208.109.80.60 and instead include _spf.google.com domain. My SPF record now looks like
v=spf1 +a +mx +ip4:166.62.38.87 +include:_spf.google.com ~all
If I run my domain through https://toolbox.googleapps.com/apps/checkmx/ I get some some non-critical errors but everything relating to the _spf.google.com domain seems to check out. If I send an email with this configuration I still get a SOFTFAIL error.
I'm not sure where to go from here - I've tried all that my preliminary understanding of SPF will permit. Any suggestions, observations, or tricks are greatly welcomed. Cheers,
This does all look correct, apart from one thing. I looked up both the IPs you mentioned (using whois) and they belong to... GoDaddy, not Google, which entirely explains your problem. It's quite likely that GoDaddy is redirecting your outbound email traffic since they don't allow direct SMTP sending, so you may need to add GoDaddy's SPF as well, or move to a more enlightened hosting provider.
A minor thing: put the ip4 mechanism first as it's fastest to match for receivers (it requires no extra lookups), and you don't need the + qualifiers because that's the default action.

DMARC/SPF configuration error

I have a domain registered at domains.google.com that I use with a G Suite account and also to send email from SES and mailchimp.
My DNS records look correct to me (Mailchimp instructions):
# TXT "v=spf1 include:_spf.google.com include:amazonses.com include:servers.mcsv.net ~all"
_dmarc TXT "v=DMARC1; p=none; pct=100; rua=mailto:re+aml1ryadtn7#dmarc.postmarkapp.com; sp=none; aspf=r;"
I use postmark's nifty service to get a weekly DMARC digest, and they report this error for mailchimp emails:
mcsv.net is authorized to send on behalf of mydomain.com, however it looks like SPF is still failing DMARC’s alignment test. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your From address. If the Return-Path path doesn’t match your From address, those messages will fail DMARC’s SPF alignment test. Check with this source because you may need to set up a custom Return-Path.
Here are relevant headers from a mailchimp email:
Return-Path: <bounce-mc.us17_88978185.265251-recipient=patentbots.com#mail125.suw11.mcdlv.net>
From: me#mydomain.com
Do I have an error in setup (either DNS or Mailchimp) that causes SPF DMARC alignment to fail? Or is this something that isn't supported by Mailchimp?
Mailchimp does not support SPF as it uses its own domain in the bounce address. Their domain authentication verification tool requires including Mailchimp, though. Mailchimp always fails DMARC's SPF alignment test because the Return-Path path doesn’t match the From address. MailChimp doesn't support custom Return-Path (even though Mandrill, which is owned by Mailchimp, does). This makes it impossible to be 100% SPF-compliant under DMARC rules with Mailchimp.
I'm not 100% sure, but I'd guess that if the domains for return-path and from header have to match, you would need to have a CNAME DNS record in your own domain pointing at MC, so that the domains could match, something like:
mc CNAME mail125.suw11.mcdlv.net
Then your return path might become <bounce-mc.us17_88978185.265251-recipient=patentbots.com#mc.mydomain.com>.
I don't know if a subdomain match like this is sufficient, i.e. whether DMARC considers mc.mydomain.com and mydomain.com to be sufficiently aligned.
I can see the management of this being a little tricky if you have lots of domains.

Defining two sub domains of my domain as nameservers of another domain

Suppose that I own example.com that is served by my own DNS server and I can create every records that I want.
Now imagine that one of my friends get a new domain called new-domain.com and I want to help him manage his domain with his own DNS server.
So in my dns system for example.com, I create two A records as:
my.ns1.example.com -> some.ip.addr
and
my.ns2.example.com -> some.ip.addr
(some.ip.addr is the ip address of his DNS server)
and ask him to set my.ns1.example.com and my.ns2.example.com as name servers for his domain.
But he cannot set them because it gets invalid nameserver error!
Its my understanding that because example.com is working properly in DNS system and thus my.ns1.example.com and my.ns2.example.com are resolved to the IP address properly, so nothing can prevent them to be used as nameservers.
I searched around and found that some people say the nameservers should be registered. I understand registering when we have to ask for setting glue records, but for this case I have no idea why would we need to register those name.
To be more specific with real life example, why would jobs.ns.cloudflare.com is a valid nameserver but www.cloudflare.com is not?
I asked the same question on serverfault.com with this link
There, I quote important part of the answer here,
From a pure DNS perspective, an authoritative nameserver (such as those for com) should not perform any kind of recursion to learn the IP address of the nameservers that are defined in your example.com zone. Instead, the registry permits registrars to add glue records to the com domain, and those registrars can provide a user interface so that the owners of the domains that these custom nameservers live in can do so. (example: Namecheap - How do I register personal nameservers for my domain?)
(To address the elephant in the room...no, these glue records are not strictly required. But policies are policies, and if the registrar interface requires the registry level glue to be present, you have little choice in the matter.)
While the answer does not answer my updated part of the question, I picked it as the answer and decided to ask another question.
The problem does not lie in the names: my.ns1.example.com and my.ns2.example.com are fine.
The registry, and sometimes even the registrar, normally perform a few checks before approving a nameserver change. If your nameservers are rejected as invalid they are most likely not yet correctly configured for your friend's domain. I mean, the servers at my.ns1.example.com and my.ns2.example.com do not contain the minimum required records for new-domain.com.
That said, the registrar support team should be able to provide more details: if it's them who reject the change they should let you know what part of the automatic tests fails and even provide the test output so you can see by yourself. On the other hand, if they just pass the change to the registry (your friend should see a "operation pending at registry level" notice in his control panel for some time) they could do the extra effort of helping you out by providing hints based on their experience with that particular TLD. That is, if your friend didn't grab a promo offer in the 0.99$-5.99$ a year range for the domain: if he pays them something in the 20$-50$ a year range then he should expect and demand a proper, helpful support. I use one of the cheapest registrars and if my nameserver change gets rejected I still get a full report:
Dear customer,
The registry did not accept the nameservers you tried assigning to
new-domain.com because they did not pass the registry tests. Please
check the report we got from the registry below, fix the errors
and try assigning the nameservers again.
Nameservers Resolvable Test: ERROR
my.ns1.example.com. ERROR Unresolvable host my.ns1.example.com.
my.ns2.example.com. ERROR Unresolvable host my.ns2.example.com.
my.ns3.example.com. OK
my.ns4.example.com. OK
SOAQueryAnswerTest: ERROR
my.ns1.example.com. ERROR java.net.SocketTimeoutException
my.ns2.example.com. ERROR java.net.SocketTimeoutException
my.ns3.example.com. OK
my.ns4.example.com. OK
... ... ...
Update: The OP posted an update saying that as soon as the nameservers were registered with the registry, they were accepted in his friend's control panel. It appears that particular registrar checks for glue records and rejects the nameservers if they have none. This is an unnecessary check because glue records are only needed if the nameservers are within the same domain they serve, as explained in these questions. Registrars usually explain this very clearly or at least mention this above the nameserver change form:
Please note that in most cases the ip address is not required and will actually be ignored. It is only necessary if the nameservers you are entering are sub-domains of the selected domain (also called custom nameservers or vanity nameservers).
We can conclude that the friend's registrar performs an unnecessary blocking test and does not respond to user inquiries in a helpful matter. Since the OP has the following need (citation from his updated post on serverfault):
I need to be able to create dynamic nameservers programmatically and ask my users to enter their specific nameservers for their domains in their registrars.
I warmly recommend he does some research looking for a decent and reasonably priced registrar he can point his customers/friends to in case they have any issues with their current ones.

DNS record not found after testing

I am checking my website on mxtoolbox.com and getting some DNS errors. Two of those errors say "DNS Record not found". One has dmarc as category and the other is category spf.
My questions:
Does this hurt my website?
How do i go about fixing this?
My website is http://www.zilvertron.com
Thanks for your time!
No, neither of those things will directly hurt your website, though they may cause you problems with sending email if the recipients score harshly in any spam management application.
There is some info on DMARC here and some info about spf here They are both used to help validate that messages are 'allowed' to be send from your domain & hosts and that your domain is who it says it is.
If you wanted to fix/add the records you need to have a look in your dns providers control panel and see what options they support, and how to implement them. Spf is easy - it's just a text record, DMARC/DKIM requires a bit more setup.

Resources