DMARC miss-alignment with subdomain of organizational domain in relaxed mode

Hello everybody,

We have a DMARC policy that until today, it didn’t use aspf or adkim configuration options. So, according ro DMARC RFC, we have been operating in DMARC relaxed mode, which is the default mode.

v=DMARC1; p=reject; rua=mailto:fexahwip@ag. dmarcian .com; ruf=mailto:fexahwip@fr. dmarcian .com; fo=1

Starting June 11th we have identified a specific sender, Greenhouse, that used to be aligned in SPF and DKIM, which is suddenly not aligned neither in SPF or DKIM.

For those not familiarised with Greenhouse as sender, they usually use a “gh-mail .domain.com” for both SPF and DKIM. Then, they request you to place the TXT record for SPF under “gh-mail. domain .com” and the DKIM public key under “selector._domainkey.gh-mail.domain.com”.

Because by default and because the majority of people out there operates in relaxed mode, “gh-mail .domain .com” is considered part of the same organizational domain “domain .com”, and despite there is no exact match, relaxed mode allows alignment, and DMARC policy action is NONE, accepting the email.

So far, this is my understanding.

Nevertheless, we are getting reports where we get the follwoing relevant information:

  • From domain: domain .com
  • IP: 69.72.40.93
  • PTR/Server: mail-40-93 .greenhouse .io
  • Action taken: Reject
  • Override reason: none
  • SPF
    • DMARC result: fail-unaligned
    • SPF result: pass
    • Mail From: gh-mail .domain .com
  • DKIM
    • DMARC result: fail-unaligned
    • SPF result: pass
    • d=: gh-mail .domain .com
    • Selectors: mx
  • Reporter: Google

In the case of Greenhouse, because it’s a platform where candidates apply to our job postings, we have the 100% of emails sent to Google, and we do not have a good sample of other providers.

Nevertheless, given that we discovered this trend on June 11th, we also saw that other senders have been suffering similar issues, but fortunately they are not causing deliverability problems.

The difference on the other senders is that either they have SPF records AND/OR DKIM selectors at the domain.com level, achieving strict alignment for both SPF/DKIM for some senders, or DKIM strict alignment in others.

Today we updated our DMARC policy to explicitly use “aspf=r; adkim=r” to see if the behaviour changes, despite the default behaviour according to RFC is relaxed mode.

v=DMARC1; p=reject; rua=mailto:fexahwip@ag .dmarcian .com; ruf=mailto:fexahwip@fr .dmarcian .com; aspf=r; adkim=r; fo=1

I will share updates with you here in the following days when we start getting new reports after the policy changes.

Meanwhile, did anybody suffered similar alignment issues recently with a similar setup?

Hi,

Thanks for posting on our forums!

Regarding your query, your understanding is absolutely correct.
The DMARC record expects domain alignment in relaxed mode for SPF and DKIM protocols, which is met for one of the domains. The same behaviour should occur for the other domain since all domains are aligned and pass the “raw” check for SPF and DKIM.

However, the XML reports show that Google indicates a “fail” for DMARC alignment, which shouldn’t be expected given the data.

There are a couple of possible explanations for this:

  • Misreporting by Google: Google might be incorrectly reporting the DMARC alignment results in their XML reports. It would be best to contact Google directly to ask for clarification.

  • DMARC Override at the Receiving End: There might be a “DMARC override” happening on the recipient’s side, which is not reflected in the DMARC report. To address this, try identifying the recipient and work with them to determine if an override is occurring.

I hope this helps!

1 Like