All of which leaves me confused about how your message got rejected.

Enforcing DMARC is risky because SM does not provide a good exception mechanism, and there will be a need for exceptions.   I use custom logic in Declude instead.  Details on request.

Could it be that they don't publish DMARC for the root domain because they use gateways/mailers to send those messages? If you have an example message you can provide us we can simulate it's delivery and see how it is handled outside of your environment for you.

Hi Kyle

Still happening. But I figured this out.

Smartermail is looking at our Incoming Gateway IP for this client Dmarc test instead of the originating IP for its.ny.gov. When a domain has an Incoming Gateway, Smartermail should use those IPs as approved SPF records. And look at the originating IP for DKIM

Like this

v=spf1 ip4:192.135.176.0/24 include:svc.ny.gov [smartermailgateway1] [smartermailgateway2] -all

In this case 

v=spf1 ip4:192.135.176.0/24 include:svc.ny.gov 208.70.129.79 -all

Research

[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] DMARC Results: Failed (Domain: its.ny.gov, Reason: SPF: False, DKIM: False, Alignments: 0, Domain: its.ny.gov, Action: reject), Reason: SPF: False, DKIM: False, Alignments: 0, Domain: its.ny.gov, Reject? True

[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] Beginning DMARC check for its.grp.plat.adhoc@its.ny.gov from IP 208.70.129.79...
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] ARC Chain verifier Errors: MessageSignatureValidationFailed
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] The from field for the message is "NYS mySend <its.grp.plat.adhoc@its.ny.gov>".  Will look for DMARC policy record at _dmarc.its.ny.gov
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] Retrieved the following DMARC policy record for "its.ny.gov": v=DMARC1;p=reject;pct=100;rua=mailto:re+taxx0e4mwfl@dmarc.postmarkapp.com;sp=reject;aspf=r;
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] Signature to verify:
[2025.01.15] v=1; a=rsa-sha256; c=relaxed/relaxed; d=its.ny.gov;    s=selector2;    h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;    bh=Hrgl6X64CJcUaCVd8DmQJa9iCIOfDabGBQOJ2kJTNhY=;    b=l8HVsGlFgahen9FiQuyd58QGUU60CtlBjwdEsIVO2HRrNGSSh8nW641ucl3BGj1QWot9F6TS3VegCluTZ0ZWlUb6mZ7ujh/9dAjEvvUN0F1OD0hx37fFJu72xMzS8wrBJAo1yVhOJm8/iEuo4fomCVICw/gfhtnWo1cTtG+FHZM=09:09:54.472 [208.70.129.79][1867840] DMARC: SPF failure.
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] DMARC: Bad DKIM signature.
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] DMARC DKIM domains; its.ny.gov SPF domain: its.ny.gov, DMARC domain: its.ny.gov. DKIM succeeded: False, SPF succeeded: False.

v=spf1 ip4:192.135.176.0/24 include:svc.ny.gov -all

v=spf1 mx ip4:170.123.0.0/16 ip4:161.11.224.0/22 include:svc.ny.gov include:service.govdelivery.com -all

SPF its.ny.gov Query for 208.70.129.79 Fail

SPF ny.gov Query for 208.70.129.79 Fail

Thanks Doug there was something else going on.

Hi Kyle

It would also be nice to have a log entry for easy lookup. This way, Admins could easily search and find all legitimate emails for a specific domain that are being blocked by DMARC.

DMARC Testing for incoming [clientdomain] Fail or Passed

Hi Kyle

Another solution would be to add a setting to the Gateway page, Bypass Dmarc for this gate way. Yes or No

Hi Kyle 

Ok, I do have this gateway in the Security/Whitelist/ page, but there is no option to just skip DMARC.

Hello,

If you select the gateway's entry in the Whitelist and enable this setting, it should have the desired effect:

Hi Jorel

Thank you yes I saw that and was thinking that would solve the failed delivery but we would like to keep spam checks running and just turn off Dmarc for a Gateway.