Email Routing Service incorrectly marking DMARC status a failed and not forwarding

We have mission critical emails that must be forwarded to us from the U.S. government from the domain uspto dot gov

Cloudflare in the last several days has stopped forwarding these emails. Everyone is marked with an “error” and claiming that DMARC status is failed.

Every online DMARC settings tool I check online says the domain USPTO dot GOV has a correctly configured DMARC record.

Is this a configuration issue on USPTO’s side or a Cloudflare bug?

Relying on mission critical emails, and passing them through one or more forwarding services, are two things that don’t go hand in hand.

If you rely on your email messages, then DO NOT use any email forwarding services (regardless whether it is Cloudflare Email Routing, or any other email routing/forwarding services by other organisations), in order to retrieve them.

Make them go directly.

That would be explaining the reason very well.

These online tools are only seeing a partial view of the whole situation.

They see whether the United States Patent and Trademark Office (USPTO) has configured a DMARC policy for their domain, whether the DMARC policy is syntactically correct, and likely also the individual parameters, such as e.g. what their actual DMARC policy is.

They DO NOT SEE the individual message that was sent to you, and as such, these tools won’t ever be able to confirm or deny, whether that one individual message was passing the sender’s DMARC policy, or not.

Without digging further, I would personally believe that the issue is on United States Patent and Trademark Office (USPTO)'s side.

I was under the impression that I had heard them to be failing in the past, however, digging a little bit, the one I had heard about, appears to be the United States Census Bureau.

The United States Census Bureau should allegedly be running SPF-only messages, while also having a DMARC reject policy.

As SPF, and it’s alignment to the original sender domain, won’t be able to survive message forwarding, having a DMARC reject policy would literally mean that a lot of legitimate messages, like perhaps the one you indicate, will be lost.

Your explanation points in a similar direction, that the United States Patent and Trademark Office (USPTO)'s may not be DKIM signing their message, with a DKIM signature that has proper alignment to the original sender domain.

With neither DKIM (and it’s alignment to the original sender domain), nor SPF (and it’s alignment to the original sender domain) succeeding, you’re left with a DMARC fail.

The DMARC reject policy, that both these organisations have, are instructing receivers to throw the message away.

Fun fact: Both of these two organisations are a part of the Department of Commerce.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.