Spent quite a bit of time troubleshooting DMARC, SPF, DKIM, etc. to ensure my records are all correct, flattened, etc. I’m now seeing what looks to be false positives being reported:
Based on the number of messages, it looks like these are emails that are being sent to a Google Group (Distribution List/Mailing List) that are then being forwarded to the individual members on the list. All of the members are internal and have the same domain name ([email protected]) as the Mailing List ([email protected]).
DMARC passed successfully on the original message but is failing when Forwarded. Authenticated Received Chain (ARC) was developed as extension of DMARC to handle these types of situations. . It preserves email information in a way that helps these messages pass authentication checks.
Read more here: https://powerdmarc.com/what-is-arc/
Looking at the email headers of some of emails, I see the following: (Sanitized)
ARC-Authentication-Results: i=3; mx.google.com;
dkim=pass [email protected] header.s=20221208 header.b=BzMl3dUi;
arc=pass (i=2 spf=pass spfdomain=sendingdomain.net dkim=pass dkdomain=sendingdomain.net dmarc=pass fromdomain=sendingdomain.net);
spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) smtp.mailfrom=dmarc+bncBCTKV6WLTQPBB6MYQWRQMGQEG7TJRPQ@receivingdomain.com;
dmarc=fail (p=NONE sp=NONE dis=NONE arc=pass) header.from=sendingdomain.net
I updated my RUA so that I might get the XML from google tomorrow but I suspect the Cloudflare DMARC Reporting parser is seeing the dmarc=fail in the header and reporting on it even though it DMARC passed correctly when the message was received.
I’ve also signed up for another DMARC reporting service to see if I get the same reported Failures as I’m getting with Cloudflare to compare but I think my initial hunch is correct…
Anyone have additional insight?
