1

I have set adkim=s and aspf=s, the DMARC check on mxtoolbox.com passes all tests. However, I'm using the default DKIM from microsoft, so from my understanding DMARC should fail since the alignment check with DKIM should fail. However, it passes:

Authentication-Results: mx.google.com;
   dkim=pass [email protected] header.s=selector2-examplecom-onmicrosoft-com header.b=bdMHamqv;
   arc=pass (i=1 spf=pass spfdomain=example.com dkim=pass dkdomain=example.com dmarc=pass fromdomain=example.com);
   spf=pass (google.com: domain of [email protected] designates 4b14:222:c200:5a2a::315 as permitted sender) [email protected];
   dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=examplecom.onmicrosoft.com; s=selector2-examplecom-onmicrosoft-com; ...

Clearly the d=examplecom.onmicrosoft.com is not the same as header.from=example.com... so why is DMARC passing anyways?

Improve this question

1 Answer 1

Reset to default
2

For DMARC to pass it is enough that either SPF or DKIM passes and is aligned. In your specific case DMARC header.from=example.com which is aligned with the SPF [email protected] and the SPF is passing.

Improve this answer
2
  • Thanks, that explains another confusion I had, when DKIM was failing but DMARC passed (because SPF passed along with alignment).
    – Esteban
    Commented Mar 25, 2022 at 13:30
  • If you want to force DKIM validity, change your SPF record to e.g. v=spf1 ?all and then SPF will never pass. (That may be aggressive; maybe some emailed logs come from servers that don't use DKIM. After changing your SPF, revert back to DMARC p=quarantine and re-vet your DMARC aggregated logs to be sure.)
    – Adam Katz
    Commented Mar 25, 2022 at 17:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .