SPF fail but DKIM pass using Amazon SES on Wordpress via Mailster

So I will apologize in advance as I’m an idiot about this stuff.

Quick background:
Use Wordpress for a photography site and recently switched to the Mailster plugin for sending out a daily and weekly newsletter. I have been using Amazon SES for a few years dating back to a prior plugin and I think was grandfathered into not having to do the DKIM stuff until I switched.

So, on Amazon SES, I have a verified domain and email from address. Emails seem to be going out fine but I keep getting DMARC emails that seem to show DKIM Pass and SPF Fail.

I use Cloudflare and have input the MX and TXT fields there. I’m not sure if I’m supposed to put in actual emails and domains here or if that is just asking for spam…

Cloudflare has 3 MX entries
Name - Mail Server
root - smtp.domain-com
root - mail.domain-com
newsletter - Amazon SES value (feedback-smtp.us-east-1.amazonses.com)

Also two TXT fields
_dmarc - v=DMARC1; p=quarantine; rua=mailto:contact@domain-com

default._domainkey - v=DKIM1; k=rsa; p=(lots of text)

And 3 CNAME entries from Amazon SES to verify the domain

So hopefully that is enough info to help you help me figure out why I get 10 emails per day to the dmarc account with all showing DKIM=pass and SPF=fail

EDIT: meant to add that I added in that newsletter@domain-com in Amazon SES as the Custom Mail From domain as an attempt to fix the SPF fail issue. Then I added the MX entry to account for that but not sure if that was correct.

I send emails from Mac Mail using the contact@ address regularly so didn’t want to lose that ability by having the Amazon SES emails use the contact@ address and have to change the MX entry for it to only be able to use Amazon (hope that all makes sense)

Thanks! (new user so had to modify the above and replace . with - to not have too many links)

Welcome the dmarcian forums!

The purpose of DMARC is authenticate the domain of the email shown to the recipient. This is the RFC 5322 From address, or the message body from address. There is another ‘from address’ in every email. It is the RFC 5321 From address and is more commonly known as the envelope sender or return-path. It is not normally visible to the recipient of the email.

There are two methods that DMARC can use to authenticate the (RFC 5322) sender domain: SPF and DKIM.

DKIM creates a cryptographic signature based on parts of the email which can be checked against the published DKIM record. If the math checks out, it passes. There is more to it than that, but that should sufficient explanation for your current situation.

SPF checks the relay IP to see if it is listed in the RFC 5321 sending domain’s SPF records. Assuming that it is included, in order for a successful SPF test to be useful in verifying the RFC 5322 domain, alignment must be present. The short explanation of alignment is that the RFC 5321 and RFC 5322 domains need to match.

e.g.
sender@example.com and sender@example.com OK
sender@example.com and sender@example.net NO

If you have set up a custom mail domain in your Amazon SES account, you should be able to also pass DMARC with SPF.

One important detail about DMARC: you don’t need to pass both SPF and DKIM to pass DMARC. As long as one is valid (which means alignment is required for SPF to pass DMARC), your DMARC is good.

I hope this has helped, and I will do my best to answer any additional questions you have about SPF, DKIM, and DMARC.

Thank you for that detailed and fast response! Really appreciate it.

Is it safe to copy/paste the results of a DMARC xml file here to look at and confirm my suspicion that it is ‘fine’ and just the SPF is failing?

Assuming my reading of the xml is correct:

  1. If I seem to pass DKIM per the DMARC email xml files I receive, I can ignore SPF?
  2. And in that case, is it okay to remove my email from the TXT file on Cloudflare so I stop getting 5-10 emails with DMARC info?

Thanks again for pointing me to this forum

You can use the DMARC Report Analyzer for that.

Technically, you can, but if you get both methods working, it gives you a fallback if one fails for some reason. SPF is the method that I see break more often due to forwarding, but it is possible for DKIM to get broken if one of the signed elements is altered downstream from the signing point.

Despite the DMARC specification using email as the report delivery mechanism, DMARC reports aren’t intended to be sent to a human’s inbox. As you have seen, it can work in a pinch, but they are really intended to be processed by a service like dmarcian where you can review the processed data presented in an aggregated format.

Aside from become aware of the astonishingly high instances of forgery attempts on some domains, DMARC monitoring is largely uneventful once everything is fine-tuned. However, it is a lot easier to identify problems if you are already collecting and processing the reports with a DMARC monitoring service before they arise.

1 Like

Again very helpful and appreciated

Feel like I went into this backwards - Cloudflare to the forum and finally to the main site.

I set up the account and will monitor issues as dmarc emails come in

Thanks again

You are welcome.

I hope you find the dmarc reports worthwhile. I implemented my first DMARC policy when a service that I used for CSP reporting added DMARC. The presentation there was quite spartan, though definitely better than trying to manually review them. I never collected them in my inbox, but I did download and review some raw reports out of curiosity. Once I moved my reporting to dmarcian, I grew accustomed to how much data is presented in a useful fashion.