On Mon, 2022-05-09 at 14:35 -0400, Alex wrote: > Hi, > > I'm trying to understand why this email from a bank fails DMARC > when mxlookup says the DMARC record is just fine. > > https://pastebin.com/0T4Gjn3v > > * 1.8 DMARC_REJECT DMARC reject policy > * 6.0 KAM_DMARC_REJECT DKIM has Failed or SPF has failed on the > message > * and the domain has a DMARC reject policy > > It also passes SPF and DKIM > > * 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record > * -0.0 SPF_PASS SPF: sender matches SPF record > * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from > author's > * domain > * -0.1 DKIM_VALID Message has at least one valid DKIM or DK > signature > * 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not > necessarily > * valid > > I'm using a local DNS resolver, not a public server. >
I'm pretty sure it can't pass SPF for the purposes of satisfying DMARC with a null envelope sender. Dunno why the DKIM didn't pass. Can you tell if the d=ess.firstdata.com signature is valid or only the amazonses.com sig (which wouldn't satisfy DMARC)?
