mail from dropbox.com being rejected by DMARC
Question asked by John Kisha - May 1, 2015 at 6:34 PM
Unanswered
Why would email from such a large company not pass DMARC on my server? The same email is accepted by gmail, so there must be something wrong with my settings. Here is the log entry. (One of several)
 
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 220 email.domain.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] connected at 5/1/2015 1:15:59 PM
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: EHLO a10-128.smtp-out.amazonses.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250-email.domain.com Hello [54.240.10.128]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: STARTTLS
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 220 Start TLS negotiation
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: EHLO a10-128.smtp-out.amazonses.com
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250-email.domain.com Hello [54.240.10.128]250-SIZE 31457280250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: MAIL FROM:<0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com>
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250 OK <0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com> Sender ok
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: RCPT TO:<user@domain.com>
[2015.05.01] 13:15:59 [54.240.10.128][4102396] rsp: 250 OK <user@domain.com> Recipient ok
[2015.05.01] 13:15:59 [54.240.10.128][4102396] cmd: DATA
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 550 Message rejected due to senders DMARC policy
[2015.05.01] 13:16:04 [54.240.10.128][4102396] A trace of the DMARC processing follows.
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Beginning DMARC check for 0000014d111f2e85-62176599-8d57-4bcc-8c13-ac37d150e734-000000@amazonses.com from IP 54.240.10.128...
[2015.05.01] 13:16:04 [54.240.10.128][4102396] The from field for the message is "John via Dropbox <no-reply@dropbox.com>".  Will look for DMARC policy record at _dmarc.dropbox.com
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Retrieved the following DMARC policy record for "dropbox.com": v=DMARC1; p=reject; fo=1; pct=100; rua=mailto:dropbox@rua.agari.com,mailto:dmarc@dropbox.com; ruf=mailto:dropbox@ruf.agari.com
[2015.05.01] 13:16:04 [54.240.10.128][4102396] DMARC policy violated due to DKIM domain ("amazonses.com") not belonging to the same parent domain as the from address field domain ("dropbox.com").
[2015.05.01] 13:16:04 [54.240.10.128][4102396] Data transfer succeeded but message rejected by DMARC
[2015.05.01] 13:16:04 [54.240.10.128][4102396] cmd: RSET
[2015.05.01] 13:16:04 [54.240.10.128][4102396] rsp: 250 OK
[2015.05.01] 13:16:26 [54.240.10.128][4102396] cmd: QUIT

6 Replies

Reply to Thread
1
These kind of issues are why we have disabled DMARC
0
In spite of the trepidations expressed by some, DMARC works very well when properly setup.
 
We might be able to see what's going on if you post both the SENDING and RECEIVING domain information.
 
Otherwise, resolving this would entail actually looking at the settings on your server
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
We are experience the same experience. I configured DMARC and DKIM by using the SM-bible from Bruce ;-)
 
Also only Dropbox is causing problems.
1
I'm using Bruce's book too. I wrote to Dropbox and here is their reply:
 
Thanks for writing in to Dropbox Support! I'd be happy to answer your question today.

We occasionally use certain Amazon domains (in this case, amazonses.com) to handle various kinds of data. Unfortunately, due to the nature and design of DMARC and specifically DKIM, the only way to work around this is to disable verification.

I hope this information helps. Please let me know if I can be of further assistance.
 
Obviously not much help, they don't even seem to care--just 'turn it off'. 
 
Bruce, the sender information is included in the log above. The domain that is rejecting their email is myfirstname@dandylionhosting.com (or any other domain hosted on that server) MX for the server is email.dandylionhosting.com. 
 
Sorry for my late reply, I've been out of town and I actually did turn it off so that a couple of clients could get email from dropbox.com while I was gone. Now that I'm back, I don't want to leave it turned off, so there has to be something that can be done to fix it, I would hope.
 
If you need any other info, just let me know.
 
Thanks again to all that replied. It's greatly appreciated.
 
John

 
0
Where is our dmarc over ride? This feature has been asked for before. It about time our control is given back...
0
I have the same issue, any idea how to resolve this anyone ?

Reply to Thread