mail from being rejected by DMARC
Question asked by John Kisha - May 1, 2015 at 6:34 PM
Why would email from such a large company not pass DMARC on my server? The same email is accepted by gmail, so there must be something wrong with my settings. Here is the log entry. (One of several)
[2015.05.01] 13:15:59 [][4102396] rsp: 220
[2015.05.01] 13:15:59 [][4102396] connected at 5/1/2015 1:15:59 PM
[2015.05.01] 13:15:59 [][4102396] cmd: EHLO
[2015.05.01] 13:15:59 [][4102396] rsp: Hello []250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.05.01] 13:15:59 [][4102396] cmd: STARTTLS
[2015.05.01] 13:15:59 [][4102396] rsp: 220 Start TLS negotiation
[2015.05.01] 13:15:59 [][4102396] cmd: EHLO
[2015.05.01] 13:15:59 [][4102396] rsp: Hello []250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.05.01] 13:15:59 [][4102396] cmd: MAIL FROM:<>
[2015.05.01] 13:15:59 [][4102396] rsp: 250 OK <> Sender ok
[2015.05.01] 13:15:59 [][4102396] cmd: RCPT TO:<>
[2015.05.01] 13:15:59 [][4102396] rsp: 250 OK <> Recipient ok
[2015.05.01] 13:15:59 [][4102396] cmd: DATA
[2015.05.01] 13:16:04 [][4102396] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.05.01] 13:16:04 [][4102396] rsp: 550 Message rejected due to senders DMARC policy
[2015.05.01] 13:16:04 [][4102396] A trace of the DMARC processing follows.
[2015.05.01] 13:16:04 [][4102396] Beginning DMARC check for from IP
[2015.05.01] 13:16:04 [][4102396] The from field for the message is "John via Dropbox <>".  Will look for DMARC policy record at
[2015.05.01] 13:16:04 [][4102396] Retrieved the following DMARC policy record for "": v=DMARC1; p=reject; fo=1; pct=100;,;
[2015.05.01] 13:16:04 [][4102396] DMARC policy violated due to DKIM domain ("") not belonging to the same parent domain as the from address field domain ("").
[2015.05.01] 13:16:04 [][4102396] Data transfer succeeded but message rejected by DMARC
[2015.05.01] 13:16:04 [][4102396] cmd: RSET
[2015.05.01] 13:16:04 [][4102396] rsp: 250 OK
[2015.05.01] 13:16:26 [][4102396] cmd: QUIT

6 Replies

Reply to Thread
These kind of issues are why we have disabled DMARC
In spite of the trepidations expressed by some, DMARC works very well when properly setup.
We might be able to see what's going on if you post both the SENDING and RECEIVING domain information.
Otherwise, resolving this would entail actually looking at the settings on your server
Bruce Barnes
ChicagoNetTech Inc

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal:
Security Blog:

Web and E-Mail Hosting, E-Mail Security and Consulting
We are experience the same experience. I configured DMARC and DKIM by using the SM-bible from Bruce ;-)
Also only Dropbox is causing problems.
I'm using Bruce's book too. I wrote to Dropbox and here is their reply:
Thanks for writing in to Dropbox Support! I'd be happy to answer your question today.

We occasionally use certain Amazon domains (in this case, to handle various kinds of data. Unfortunately, due to the nature and design of DMARC and specifically DKIM, the only way to work around this is to disable verification.

I hope this information helps. Please let me know if I can be of further assistance.
Obviously not much help, they don't even seem to care--just 'turn it off'. 
Bruce, the sender information is included in the log above. The domain that is rejecting their email is (or any other domain hosted on that server) MX for the server is 
Sorry for my late reply, I've been out of town and I actually did turn it off so that a couple of clients could get email from while I was gone. Now that I'm back, I don't want to leave it turned off, so there has to be something that can be done to fix it, I would hope.
If you need any other info, just let me know.
Thanks again to all that replied. It's greatly appreciated.

Where is our dmarc over ride? This feature has been asked for before. It about time our control is given back...
I have the same issue, any idea how to resolve this anyone ?

Reply to Thread