Gmail header says …
| SPF: | PASS with IP 135.84.80.168 Learn more |
|---|---|
| DKIM: | ‘PASS’ with domain example.com Learn more |
| DMARC: | ‘PASS’ Learn more |
Has anyone experienced like this?
If “From: domain” says “example.com”, and “Envelope from: domain” says “sender.zohoinvoice.com”, these two would obviously be two completely different domain names.
As such, even though there is an actual SPF pass on “sender.zohoinvoice.com”, there will not be an actual DMARC SPF pass, since “sender.zohoinvoice.com” isn’t equal to “example.com” (with strict DMARC “aspf=”), or below “example.com” (with relaxed DMARC “aspf=” (default)).
That Gmail information does unfortunately not account for the alignment.
Check the actual message headers, such as e.g. “Authentication-Results” in the box below it, for (more accurate) information.
You’re simply missing the alignment between the two domain names, and as such, cannot pass DMARC.
Since DMARC only requires either DKIM (including alignment) OR SPF (including alignment) to pass, you’re still doing fine according to the above screenshot, since your DKIM is appears to be properly aligned.
3 Likes
DMARC value is set as
v=DMARC1; p=reject; rua=mailto:[email protected]
In the receiver mailbox, it looks like this
from: Admin Example <[email protected]>
to: [email protected]
date: Oct 12, 2023, 2:23 PM
subject: Invoice - INV-000149 from Admin Example
mailed-by: sender.zohoinvoice.com
signed-by: example.com
security: Standard encryption (TLS) Learn more
: Important according
Gmail header says pass.
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=1522905413783 header.b=XZpZADat;
arc=pass (i=1 spf=pass spfdomain=sender.zohoinvoice.com dkim=pass dkdomain=example.com dmarc=pass fromdomain=example.com>);
spf=pass (google.com: domain of sender+c2a3e9c0-68dc-11ee-bf8e-5254004d4100_vt1@sender.zohoinvoice.com designates 135.84.80.168 as permitted sender) smtp.mailfrom=sender+c2a3e9c0-68dc-11ee-bf8e-5254004d4100_vt1@sender.zohoinvoice.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=example.com
ARC-Seal: i=1; a=rsa-sha256; t=1697100788; cv=none; d=us.zohomail360.com; s=zohoarc; b=oiCpotAPaD44S73qJZOpUWFQDWGQKs1aGqFmCnWRf1/dcv4j3ykDGlfN0+OBiHGu1tPkhUXJjRVbQv9QWMRudkLbjaYXNlTtQYzf5MEYL7jwihBJPX97cM8P+lYYJv/dmjNB5xr5jkg3rcNa0pFLlzvI88QBwW0b6FfnbLmUs4A=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=us.zohomail360.com; s=zohoarc; t=1697100788; h=Content-Type:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=yfT0oDG2Yk2Z4juQdy7NkZTdfwHemy6oOdXVP6KuW6M=; b=E9yc4QJ7dzANNcM+1dj7UUxpiUARXzDvnxeGZZQ5NR4DGwTiE39GauS2dSUbxRyu661wETrhO51OHfzUIX907fFFLBrWRHWPoHZ9bfMiloLCkJl5xeiWfcKA2wgVj73HLBYaWHM2uGvwoIbWZ35Dqgc/hyIsw56ECaKzeYs4weo=
I remember that I added custom domain inside Zoho Invoice system and verified it with txt records as suggested including SPF and DKIM.
As that one doesn’t have any “adkim=” or “aspf=” set, you’re in the default relaxed mode as mentioned above:
With that header, you need to look at the spf=pass line, especially at what exact identity that caused passed SPF, e.g. the one mentioned as smtp.mailfrom:
Here, Google says that the SPF passed with the identity sender[email protected], because the SPF at sender.zohoinvoice.com says that 135.84.80.168 was allowed to send on behalf of sender.zohoinvoice.com.
Going back to the apparent redacted From: header above:
That example.com address is NOT [email protected], [email protected] or anything else in the zohoinvoice.com domain.
Isn’t that correct?
Therefore, you are missing the alignment to the original domain from the header From:, and as such, the DMARC SPF check is failing, because of the missing alignment, because header From: and envelope From: are two different domains.
You would have to get that sender.zohoinvoice.com part changed to e.g. example.com, or thanks to your relaxed configuration, stuff like zoho-invoice.example.com, billing.example.com, invoice.example.com, or similar, would work as well.
According to dmarc.io - Sources, Zoho has five (5) different email related products:
| Source | DMARC SPF compliance |
DMARC DKIM compliance |
|---|---|---|
| Zoho Campaigns |  |
|
| Zoho CRM | |
|
| Zoho Mail | |
|
| Zoho People | |
|
| Zoho services | |
Typically, those that allows you configure them in a way so you can also pass the SPF alignment requirement for DMARC, would be listed with a check mark in DMARC SPF compliance.
Unfortunately, there are too many companies that blindly ask you to add them to your SPF record, even if adding them would be completely useless, as the SPF part would be in this specific case.
5 Likes
Thank you for the information. It’s too technical for me. I couldn’t understand much. Do I need to worry in the current state? as I am using Zoho Invoice to send email-based invoice to my clients. I recently stopped using “CF Email Forwarding with Gmail” & Switched to G suite for the proper DKIM, SPF & DMARC and primary inbox delivery (earlier it was reaching in primary with Gmail SMTP but it was failing DKIM so I had to switch, and using typical transactional email services was not something in my choice as all of them lands into promotion tab).
I am not sure what’s wrong with Zoho Invoicing system here. I followed what they said. I have no idea what next to do to ensure better email delivery rate.
The formula in order to pass DMARC is literally:
IF ((DKIM_VALID && DKIM_ALIGNMENT) || (SPF_PASS && SPF_ALIGNMENT)).
&& literally meaning AND, || literally meaning OR.
You’re successfully passing DKIM part of the above formula, and with proper alignment according to the shared information (with example.com), and therefore ending up with the overall DMARC pass.
So no, I would NOT be worried at all.
Assuming we’re talking the the “free” @gmail.com trick, that one isn’t able to make alignment on any of DKIM or SPF, which is the whole problem there, so both the DKIM or SPFare literally failing due to the alignment with that “trick”.
A good percentage of the email providers you can outsource your email deliveries to out there are allowing both transactional messages, and newsletters/marketing/sales boosting material at the same time.
To do whatever you can to avoid ending up on the promotional tab for real transactional messages, I would suggest taking a provider that doesn’t list newsletters/marketing/sales boosting material, in any way, as allowed options.
In addition, I would always suggest to refrain from using SendGrid, they have a decade long history of housing systemic spam / phishing / malware attacks, without doing anything at all to mitigate the situation.
You don’t have to take my word for that, if you don’t wish to. You can also check the Swiss Government Computer Emergency Response Team’s website:
I would generally also refrain from using the service providers that are popping up at the first (and eventually second) page of e.g. Google searches.
Do you actually have any ongoing issues getting your emails (in this case: invoices) delivered?
3 Likes
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.