mail from dropbox.com being rejected by DMARC

Question asked by John Kisha - 5/1/2015 at 6:34 PM

Unanswered

Why would email from such a large company not pass DMARC on my server? The same email is accepted by gmail, so there must be something wrong with my settings. Here is the log entry. (One of several)

[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 220 email.domain.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] connected at 5/1/2015 1:15:59 PM
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: EHLO a10-128.smtp-out.amazonses.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250-email.domain.com Hello [54.240.10.128]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: STARTTLS
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 220 Start TLS negotiation
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: EHLO a10-128.smtp-out.amazonses.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250-email.domain.com Hello [54.240.10.128]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: MAIL FROM:<0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com>
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250 OK <0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com> Sender ok
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: RCPT TO:<user@domain.com>
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250 OK <user@domain.com> Recipient ok
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: DATA
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 550 Message rejected due to senders DMARC policy
[2015.05.01] 13:16:04 [54.240.10.128][4102396] A trace of the DMARC processing follows.
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Beginning DMARC check for 0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com from IP 54.240.10.128...
[2015.05.01] 13:16:04 [54.240.10.128][4102396] The from field for the message is "John via Dropbox <no-reply@dropbox.com>". Will look for DMARC policy record at _dmarc.dropbox.com
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Retrieved the following DMARC policy record for "dropbox.com": v=DMARC1; p=reject; fo=1; pct=100; rua=mailto:dropbox@rua.agari.com,mailto:dmarc@dropbox.com; ruf=mailto:dropbox@ruf.agari.com
[2015.05.01] 13:16:04 [54.240.10.128][4102396] DMARC policy violated due to DKIM domain ("amazonses.com") not belonging to the same parent domain as the from address field domain ("dropbox.com").
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Data transfer succeeded but message rejected by DMARC
[2015.05.01] 13:16:04 [54.240.10.128][4102396] cmd: RSET
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 250 OK
[2015.05.01] 13:16:26 [54.240.10.128][4102396] cmd: QUIT

12 Replies

Reply to Thread

Steve Reid Replied

5/5/2015 at 5:26 AM

These kind of issues are why we have disabled DMARC

Bruce Barnes Replied

5/5/2015 at 5:50 AM

In spite of the trepidations expressed by some, DMARC works very well when properly setup.

We might be able to see what's going on if you post both the SENDING and RECEIVING domain information.

Otherwise, resolving this would entail actually looking at the settings on your server

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting

Martin Schaible Replied

5/7/2015 at 5:36 PM

We are experience the same experience. I configured DMARC and DKIM by using the SM-bible from Bruce ;-)

Also only Dropbox is causing problems.

John Kisha Replied

5/7/2015 at 7:40 PM

I'm using Bruce's book too. I wrote to Dropbox and here is their reply:

Thanks for writing in to Dropbox Support! I'd be happy to answer your question today.

We occasionally use certain Amazon domains (in this case, amazonses.com) to handle various kinds of data. Unfortunately, due to the nature and design of DMARC and specifically DKIM, the only way to work around this is to disable verification.

I hope this information helps. Please let me know if I can be of further assistance.

Obviously not much help, they don't even seem to care--just 'turn it off'.

Bruce, the sender information is included in the log above. The domain that is rejecting their email is myfirstname@dandylionhosting.com (or any other domain hosted on that server) MX for the server is email.dandylionhosting.com.

Sorry for my late reply, I've been out of town and I actually did turn it off so that a couple of clients could get email from dropbox.com while I was gone. Now that I'm back, I don't want to leave it turned off, so there has to be something that can be done to fix it, I would hope.

If you need any other info, just let me know.

Thanks again to all that replied. It's greatly appreciated.

John

Bruce Barnes Replied

5/7/2015 at 7:48 PM

Send me your contact list and, after I'm done fighting with a customer's network solutions DNS account, I'll be happy to take a look at this.

Dropbox and Amazon have, recently, proven to cause a few DMARC issues, and AOL has ramped up their DMARC vetting, so it's important we stay on top of this.

Developing fixes within the DMARC / SPF settings so we can maintain as much protection as possible for our SmarterMail (or any other MX) servers, is extremely important.

[NOTE The SPF IP ADDRESS settings being a good part of the DMARC process of vetting the authentication of the sending server.]