Thank you so much Faisal and Matus for your helpful replies! Could you elaborate on the „p" and „sp" directive in the DMARC record? I am not entirely sure where I did the opposite of what was expected.
„p“ is the behaviour for the top-level domain. „sp“ is for subdomains – and if „sp“ is not set, behaviour from „p“ is inherited according to the RFC. Best, Mendel > Am 30.04.2024 um 12:47 schrieb Faisal Misle via mailop <mailop@mailop.org>: > > > configure DMARC for syniumsoftware.com to accept subdomain signatures. > > Uh... that's not configured in the DMARC policy. The sp= directive states > what action to take from subdomains of a domain when a message fails DMARC. > See https://datatracker.ietf.org/doc/html/rfc7489#section-6.3 and > https://datatracker.ietf.org/doc/html/rfc6376#section-3.10 > > > On 4/30/24 12:37 PM, Matus UHLAR - fantomas via mailop wrote: >>>>> But this may be related to the drop in reputation of Amazon SES IP Space. >>>>> Do they offer a dedicated outgoing IP Address that you can try? It also >>>>> helps reduce any chance of forgeries.. Eg, smaller SPF footprint, that >>>>> could have poisoned your reputation. >> >>>> Am 30.04.2024 um 12:06 schrieb Matus UHLAR - fantomas via mailop >>>> <mailop@mailop.org>: >>>> DKIM should help as well or even better. >>>> _domainkey.newsletter.syniumsoftware.com produces NXDOMAIN which means >>>> domain keys don't exist. >> >> On 30.04.24 12:22, Mendel Kucharzeck via mailop wrote: >>> Thanks for your response. DKIM is set up according to the AWS SES >>> documentation. There are three DKIM records for AWS SES present in the DNS >>> record of syniumsoftware.com : >> >>> 5tciaamivsdm3um6jda5iawx6dkzl4vv._domainkey.syniumsoftware.com = >>> 5tciaamivsdm3um6jda5iawx6dkzl4vv.dkim.amazonses.com >>> owv4bewgknpmf434mvkczc5hlg3yrflg._domainkey.syniumsoftware.com = >>> owv4bewgknpmf434mvkczc5hlg3yrflg.dkim.amazonses.com >>> ypcsbtqri7hjsoyf55sdheq4elds3ojh._domainkey.syniumsoftware.com = >>> ypcsbtqri7hjsoyf55sdheq4elds3ojh.dkim.amazonses.com >> >>> These SEEM to pass validation according to the DMARC reports we’ve received. >>> >>> Now my question: We’re sending using the Email address >>> newslet...@syniumsoftware.com . The return-path/MAIL-FROM domain is >>> newsletter.syniumsoftware.com . I assumed that mail servers will look for >>> the DKIM records at syniumsoftware.com and NOT newsletter.syniumsoftware.com >>> . Am I wrong? >>> >>> Thanks in advance for any guidance you can provide. Highly appreciate your >>> help. >> >> Well, you are right and I forgot about this, servers may check whichever >> keys you provide and you can configure DMARC for syniumsoftware.com to >> accept subdomain signatures. >> >> However it seems you did the opposite: >> >> _dmarc.syniumsoftware.com. 600 IN TXT "v=DMARC1; p=reject; >> sp=reject; pct=100; rua=mailto:dm...@syniumsoftware.com"; >> > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
