DMARC Reports, the Amazon and Google mystery

Oct 16 (50 days ago)
Dave wrote
I've recently set up everything on SPF, DKIM, DMARC and TLS with a view to try and control the use of my email domain and I'm getting lots of reports that make no sense to me.

I'm seeing lots of email reports from google and amazonses, some showing the emails originated from my vpop3 server, some show they originate from google or amazon themselves.

I've started to use a DMARC analyser to try and work out where they are all coming from and why, including making sure I have both the rua and ruf elements configured on my dmarc policy, but I'm sure someone will have a good idea of what is going on here.

I've used mxtoolbox to validate everything, at least everything under my control anyway.

What was of most interest to me, because my domain is xxxxx.uk.com that not only do I have an spf record, but so does the uk.com domain as follows....

v=spf1 include:relay.emailme.com include:smtp.emailme.com include:_spf.google.com ~all

I have no control over that, but does that mean that every email sent by me gets relayed to or validated by google even if it is not sent to them, and what's with the relay.emailme.com as well?

I'm seeing all sorts of email domains in my report being authenticated that I have never sent emails to, bandcamp.com is a regular, and today I see digital.cabinet-office.gov.uk, just can't figure what's happening, would these sites be sending emails using my email domain as the sender, would seem highly unlikely, and I'm not receiving emails from these domains either.

Reply
1 Answer
Oct 18 (48 days ago)
Paul Smith agent wrote
Hi Dave,

> I've recently set up everything on SPF, DKIM, DMARC and TLS with a view to try and control the use of my email domain and I'm getting lots of
> reports that make no sense to me.
>
> I'm seeing lots of email reports from google and amazonses, some showing the emails originated from my vpop3 server, some show they
> originate from google or amazon themselves.

DMARC can be confusing if you have not fully understood what the reports are showing.

It is normal for DMARC reports to show failed messages. The point of SPF/DKIM is to allow a recipient to validate that messages were authentic. The DMARC reports will show messages which failed the tests because they were NOT authentic. So, that shows that SPF/DKIM are doing their jobs.

You can check the IP addresses that the failed messages are coming from, to make sure that they really are forged messages. So, for examples if messages from Amazon SES are failing, then you need to check that you are not sending messages from Amazon SES (either directly, or through a third party, eg accounts software etc). If you are not sending messages from Amazon SES, then you need to do (and can do) nothing about it. If you ARE sending messages from Amazon SES, then you need to update the SPF records accordingly, (and possibly install DKIM certificates on the appropriate service using SES)

The main point of the reports is so that you can check that legitimate messages are not being blocked because of DKIM or SPF. You will expect some messages to be blocked, but they shouldn't be legitimate ones.

> What was of most interest to me, because my domain is xxxxx.uk.com that not only do I have an spf record, but so does the uk.com domain as follows....

That doesn't matter. SPF records are not cascading. (DMARC records can be, but .uk.com doesn't have a DMARC record)

> I'm seeing all sorts of email domains in my report being authenticated that I have never sent emails to, bandcamp.com is a regular,
> and today I see digital.cabinet-office.gov.uk, just can't figure what's happening

Not having seen the DMARC reports I can't be sure, but it is likely you are seeing messages being received BY those domains by someone forging messages from you to them. They should be showing in the reports as having failed both the SPF and DKIM checks if they weren't legitimate messages. If they are being showed as having failed both checks, then that shows that DMARC is doing its job and all is well.

Also, note that if someone is forwarding messages that originated from you, then they will almost certainly appear as failed messages. Eg, if you sent a message to me, and our mail server was set to forward my messages to Google, Google would probably report an SPF failure back to you because the forwarded message would have failed the SPF check (as all forwarded messages do).

Paul