DMARC failure for delivery report

spf email-server dmarc

I have a Docker-based mail server (Mailu) setup. It's working great except for delivery reports which are sent automatically (one of the user mailboxes is full and a "Quota exceeded" notification is sent to the sender).

The reports are rejected by the recipient due to DMARC failure:

This is an email abuse report for an email message received from IP xxx.xxx.xxx.xxx on Tue, 28 Sep 2021 05:16:31 +0000. The message below did not meet the sending domain's dmarc policy.

The header of the rejected message:

Feedback-Type: auth-failure
User-Agent: Lua/1.0
Version: 1.0
Original-Mail-From: 
Original-Rcpt-To: [email protected]
Arrival-Date: Tue, 28 Sep 2021 05:16:31 +0000
Message-ID: <[email protected]>
Authentication-Results: dmarc=fail (p=reject; dis=reject) header.from=domainB.com
Source-IP: xxx.xxx.xxx.xxx
Delivery-Result: reject
Auth-Failure: dmarc
Reported-Domain: domainB.com

The mailserver runs on mail.domainB.com, has domainA.com configured, and the email is sent to [email protected].

SPF is configured for both domains:

  • Domain A: v=spf1 a mx include:domainB.com -all
  • Domain B: v=spf1 a mx include:_spf.google.com include:servers.mcsv.net include:relay.mailchannels.net -all

DMARC for both: v=DMARC1;p=reject;rua=mailto:[email protected];ruf=mailto:[email protected];adkim=s;aspf=s;fo=1;

MX for both domains is mail.domainB.com and the PTR record for the IP "xxx.xxx.xxx.xxx" points to srv.domainB.com. All domains run on and point to the same server.

I suspect a DNS/DMARC configuration error but I can't point it out. Do I need to include the domain domainB.com in the SPF as well (see header.form).

Edit: Some messages contain a message body (in addition to the header above):

Received-SPF: None (no SPF record) identity=no SPF record; client-ip=xxx.xxx.xxx.xxx; helo=mail.domainB.com; envelope-from=<>; receiver=<UNKNOWN> 
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.hostpark.net F224D16527
Received: by mail.domainB.com (Postfix)
    id 61B3BDFF1; Wed, 29 Sep 2021 06:16:50 +0000 (UTC)
Date: Wed, 29 Sep 2021 06:16:50 +0000 (UTC)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="25F89DFEB.1632896210/mail.domainB.com"
Message-Id: <[email protected]>

Could anyone point me in the right direction? Much appreciated, thanks!


The fix appeared to be quite easy. The SPF record had more than 10 lookups and therefore it was synthetically correct but was interpreted as invalid. The solution was to remove one of the include:.

Related

hosting two applications on same domain using apache, one with basic authentication
nginx config for reverse proxying UDP traffic (minecraft app) - 90 message too long
How do I create a python 3 service that uses socket with systemd?
Is there any limit on number of ports at which HAProxy can listen?
Google Cloud Platform - Find Resource by Full Resource Name
How can we show that the dyadic rationals are dense in $\mathbb R$?
Recommended Problem books for undergraduate Real Analysis
What are the quadratic extensions of $\mathbb{Q}_2$?
Why $C_0^\infty$ is dense in $L^p$?
How to convert Euler angles to Quaternions and get the same Euler angles back from Quaternions?
Proving $\sum_{k=0}^n{2k\choose k}{2n-2k\choose n-k}=4^n$ [duplicate]
A finite set is closed