Few important questions about SPF, DKIM, DMARC

Discussion in 'Server Operation' started by Poliman, Nov 16, 2018.

  1. Poliman

    Poliman Member

    I have few questions about above mechanisms:
    1. Where are stored mails when DMARC is set to quarantine and SPF or DKIM will fail for specific email message? Are they going to Spam in mailbox?
    2. When I set SPF as softfail and also add DKIM to dons zone of specific domain then both mechanisms give true and DMARC, when run, pass the mail. Am I right?
    3. What is main idea of setting soft fail "~all" if each mailserver can pass this setting?
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    depends on your settings. spf & dmarc is checked by the receiving host. a server installed with the perfect-setup from howtoforge will not check spf-records and dmarc-records. you need an additional postfix-service for those checks.
    imho this makes no sence for dmarc
  3. Poliman

    Poliman Member

    Yes I have perfect-setup but currently I try to adjust spf and dmarc settings; dkim is just digital signature, so it isn't configured beyond paste public key to dns zone. But could you answer on my questions from first post or maybe answer on each question is "it depends"? ;)

    I have found an answer about first question. When some mail gets fail on SPF or DKIM checking and DMARC has quarantine setting then this mail will be marked as SPAM. What and 2nd and 3rd questions?:)
    One more question, except 2nd and 3rd:
    What will happen if I set SPF to "soft fail" but in DMARC I set "strict" to SPF Identifier Alignment - the "aspf" tag.
    Last edited: Nov 16, 2018
  4. Poliman

    Poliman Member

    I have a problem with understanding dmarc reports and some features.
    I attach two reports. First one come from google.com, second one from tumieszkamy.pl. On my server is dns zone of domain kamir-transport.pl but whole mail service is deployed on Google - in dns zone MX points to Google and there are all mailboxes, aliases etc. Last time I have configured dkim and dmarc policies and I got two reports. Honestly I don't know why two, from two different providers - google.com and tumieszkamy.pl. Moreover in report originating from google I see IP of my server [which fails spf and dkim policies] and I don't understand why this IP is evaluated? Second thing which I don't understand is second report which I got from tumieszkamy.pl.
    SPF record in dns zone of domain kamir-transport.pl was looking like below (now I changed it to slightly different):
    v=spf1 mx include:_spf.google.com -all
    Does anybody could help uderstand these things?

    Change extension from .txt to .xml.

    Attached Files:

  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    every mail-server that receives a mail from your domain, can send a dmarc-report. this has nothing to do with your mx-record.

    btw: i don't think, you should post the same quzestions here and in the postfix user group.
  6. Poliman

    Poliman Member

    Thank you for answer. Yes, you have right but why I got all time dmarc-reports from google and this time I got from google and this strange domain tumieszkamy.pl. I haven't any capable person I could ask about this, so - you know - I ask anywhere, where it's possible.

Share This Page