Question about mail servers and DMARC

Hello again! I’m not sure this is the best place to ask this question, but I’m starting here. :slight_smile:

My question is in relation to the expected behavior of mail servers when a domain is configured with a DMARC DNS TXT record. For the sites I manage, I tend to configure SPF records with “-all” because I don’t want ANY other mail server to send mail on behalf of our domain, other than the servers listed in the SPF record. For the related DMARC record, I tend to specify a strict rejection policy and I have the DMARC reports being sent to an email account I monitor, so I can keep tabs on the mail server activity. So, the SPF record ends with “-all” and the DMARC record has a “reject” policy configured.

On a couple of domains I manage, I noticed strange mail server behavior. For the sake of discussion, I’ll use “mydomain.com” as the domain. I’ll receive an email message either in the spam folder, as blocked by SpamAssassin, or in the inbox where the “From” address and the “To” address are the same address AND the address is MY email address:

From: tomdkat@mydomain.com
To: tomdkat@mydomain.com

The message was sent to me from mail server aaa.bbb.ccc.ddd, which isn’t affiliated with my domain at all and that address wasn’t listed in the SPF record, for my domain.

Since the mail server for “mydomain.com” received the message from mail server aaa.bbb.ccc.ddd, why would “my” mail server receive the message? Sometimes, SpamAsssassin will trigger the “FAIL_SPF” rule and that pretty much flags the message as spam but I would have expected “my” mail server to reject the message entirely, based on the SPF record and the DMARC record configured for the domain.

In one instance, this happens in a shared hosting environment, so my domain’s mail server is shared by “everyone else” (lol). In another instance, the site is in a VPS and there’s only one site and one domain setup. It’s almost as if the local mail server “ignores” the SPF and DMARC records if the “From” address is in the domain the mail server manages.

Any ideas on what could be going on? Any recommendations for a better forum where I could ask this, if this isn’t the best place to ask?

Thanks in advance!

1 Like

Your question is missing the relevant details about the DMARC settings of the receiving edge MTA. If the edge MTA doesn’t evaluate your DMARC policy, the result on that MTA is the same as not having a DMARC policy.

What is evaluating DMARC on your receiving MTA and how does it handle failures?

Thanks for the reply. Since it’s the server that handles ALL mail for my domain I presume it should handle all mail the same, in terms of evaluating DMARC policy. So, the ONLY evidence or information I have about my mail server’s DMARC evaluation is the fact I’ll see messages, in cPanel, indicating mail was rejected due to failing SPF. For example, I’ll see a log message about mail from “someone@randomdomain.com” being rejected due to failing SPF. I suppose what I need to do is find one of those messages and look at the DMARC policy for the sender’s domain.

I’ll also contact the site host to see if they can help me find the DMARC settings of the mail server. I’ll do this for the domain in the VPS.

Thanks for the reply!

I had to search for the relevant info, as I avoid cPanel myself.

My findings suggest that cPanel has no support for any inbound DMARC policy handling.

My personal feelings about cPanel’s overall suitability (or lack thereof) aside, it definitely is not adequate for any use as a production MTA (at least not in the capacity you desire). If DMARC validation of your inbound mail is important to you, moving your email to more appropriate solution will benefit you tremendously.

2 Likes

Wow, I’m speechless. Fist and foremost, THANK YOU for the information. Here I am getting ready to research this more and you found the relevant information. I’ve read through that cPanel forum thread and understand the situation. It certainly makes sense the DMARC policy wouldn’t be enforced if it’s not even being checked. sigh

Thanks again for your assistance!

1 Like