mail from dropbox.com being rejected by DMARC
Question asked by John Kisha - 5/1/2015 at 6:34 PM
Unanswered
Why would email from such a large company not pass DMARC on my server? The same email is accepted by gmail, so there must be something wrong with my settings. Here is the log entry. (One of several)
 
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 220 email.domain.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] connected at 5/1/2015 1:15:59 PM
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: EHLO a10-128.smtp-out.amazonses.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250-email.domain.com Hello [54.240.10.128]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: STARTTLS
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 220 Start TLS negotiation
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: EHLO a10-128.smtp-out.amazonses.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250-email.domain.com Hello [54.240.10.128]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: MAIL FROM:<0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com>
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250 OK <0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com> Sender ok
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: RCPT TO:<user@domain.com>
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250 OK <user@domain.com> Recipient ok
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: DATA
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 550 Message rejected due to senders DMARC policy
[2015.05.01] 13:16:04 [54.240.10.128][4102396] A trace of the DMARC processing follows.
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Beginning DMARC check for 0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com from IP 54.240.10.128...
[2015.05.01] 13:16:04 [54.240.10.128][4102396] The from field for the message is "John via Dropbox <no-reply@dropbox.com>".  Will look for DMARC policy record at _dmarc.dropbox.com
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Retrieved the following DMARC policy record for "dropbox.com": v=DMARC1; p=reject; fo=1; pct=100; rua=mailto:dropbox@rua.agari.com,mailto:dmarc@dropbox.com; ruf=mailto:dropbox@ruf.agari.com
[2015.05.01] 13:16:04 [54.240.10.128][4102396] DMARC policy violated due to DKIM domain ("amazonses.com") not belonging to the same parent domain as the from address field domain ("dropbox.com").
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Data transfer succeeded but message rejected by DMARC
[2015.05.01] 13:16:04 [54.240.10.128][4102396] cmd: RSET
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 250 OK
[2015.05.01] 13:16:26 [54.240.10.128][4102396] cmd: QUIT

12 Replies

Reply to Thread
1
Steve Reid Replied
These kind of issues are why we have disabled DMARC
0
Bruce Barnes Replied
In spite of the trepidations expressed by some, DMARC works very well when properly setup.
 
We might be able to see what's going on if you post both the SENDING and RECEIVING domain information.
 
Otherwise, resolving this would entail actually looking at the settings on your server
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Martin Schaible Replied
We are experience the same experience. I configured DMARC and DKIM by using the SM-bible from Bruce ;-)
 
Also only Dropbox is causing problems.
1
John Kisha Replied
I'm using Bruce's book too. I wrote to Dropbox and here is their reply:
 
Thanks for writing in to Dropbox Support! I'd be happy to answer your question today.

We occasionally use certain Amazon domains (in this case, amazonses.com) to handle various kinds of data. Unfortunately, due to the nature and design of DMARC and specifically DKIM, the only way to work around this is to disable verification.

I hope this information helps. Please let me know if I can be of further assistance.
 
Obviously not much help, they don't even seem to care--just 'turn it off'. 
 
Bruce, the sender information is included in the log above. The domain that is rejecting their email is myfirstname@dandylionhosting.com (or any other domain hosted on that server) MX for the server is email.dandylionhosting.com. 
 
Sorry for my late reply, I've been out of town and I actually did turn it off so that a couple of clients could get email from dropbox.com while I was gone. Now that I'm back, I don't want to leave it turned off, so there has to be something that can be done to fix it, I would hope.
 
If you need any other info, just let me know.
 
Thanks again to all that replied. It's greatly appreciated.
 
John

 
0
Bruce Barnes Replied
Send me your contact list and, after I'm done fighting with a customer's network solutions DNS account, I'll be happy to take a look at this.

Dropbox and Amazon have, recently, proven to cause a few DMARC issues, and AOL has ramped up their DMARC vetting, so it's important we stay on top of this.

Developing fixes within the DMARC / SPF settings so we can maintain as much protection as possible for our SmarterMail (or any other MX) servers, is extremely important.

[NOTE The SPF IP ADDRESS settings being a good part of the DMARC process of vetting the authentication of the sending server.]
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
Where is our dmarc over ride? This feature has been asked for before. It about time our control is given back...
0
Gary P Replied
I have the same issue, any idea how to resolve this anyone ?
0
Tony Mazzullo Replied
There is an option to turn DMARC off under Security-AntiSpam-Options Tab
0
Tony Mazzullo Replied
I had to turn DMARC off for now under Security-AntiSpam Administration-Options Tab. Dropbox being the culprit here also
0
Steve Reid Replied
Yeah i know, believe me its off, i could never hand over control of my server like that
0
Tony Mazzullo Replied
Did you find anything Bruce? I am having issues with the same Dropbox DMARC issues and have had to turn DMARC off to get these emails 8(
0
Gary P Replied
Thanks got it, literally "couldn't see it for looking"

Reply to Thread