Back to Community Threads
Dmarc for subdomains
Problem reported by J Lee - 1/15/2025 at 9:28 AM
Submitted
Hi All

I'm seeing an issue for example where its.ny.gov has dmarc, spf, and dkim up and working, but ny.gov does not. 

The problem, I think, is that on the second or third ping to the DNS of the subdomain, Smartermail appears to be pinging ny.gov instead of its.ny.gov. 

This is causing a fail for delivery to our users, in DMARC, SPF, and DKIM, and the email is rejected. 

Is there anything we can do about this? It seems that this may be a firewall issue blocking after too many DNS pings,  Then Smartermail goes to ny.gov for the records. 

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
D
Douglas Foster Replied
1/16/2025 at 12:47 PM
There has to be something else going on.  Can you clarify?

  • PING is not needed for SPF/DKIM/DMARC evaluation, so I don't understand why SM would be using it.
  • SPF only queries the MailFrom domain, which is apparently not ny.gov.
  • DKIM queries the _domainkey of the signing domain, which should not be ny.gov because they do not have the _domainkey subdomain configured
  • DMARC looks for a DMARC policy at the _dmarc subdomain of the FROM domain first.  
    • If found, search stops and that policy is used.  
    • If not found, it searches the org domain, which should be ny.gov, and will return NO POLICY.
    • If the FROM domain is a subdomain of its.ny.gov, the result should be NO POLICY. Its.ny.gov gets skipped.
    • When the policy is found, alignment is relaxed, so a verified MAILFROM or DKIM domain should align with a FROM address anywhere in NY.GOV.
All of which leaves me confused about how your message got rejected.

Enforcing DMARC is risky because SM does not provide a good exception mechanism, and there will be a need for exceptions.   I use custom logic in Declude instead.  Details on request.
Kyle Kerst Replied
1/16/2025 at 4:43 PM
Employee Post
Could it be that they don't publish DMARC for the root domain because they use gateways/mailers to send those messages? If you have an example message you can provide us we can simulate it's delivery and see how it is handled outside of your environment for you.
Kyle Kerst
Lead Internal Network/System Administrator
SmarterTools Inc.
J Lee Replied
1/17/2025 at 9:14 AM
Hi Kyle
Still happening. But I figured this out.

Smartermail is looking at our Incoming Gateway IP for this client Dmarc test instead of the originating IP for its.ny.gov. When a domain has an Incoming Gateway, Smartermail should use those IPs as approved SPF records. And look at the originating IP for DKIM

Like this
v=spf1 ip4:192.135.176.0/24 include:svc.ny.gov [smartermailgateway1] [smartermailgateway2] -all

In this case 
v=spf1 ip4:192.135.176.0/24 include:svc.ny.gov 208.70.129.79 -all

Research

Contents
  • Successful Dmarcian Scan
  • Smartermail Log Fail
  • SPF records

Successful Dmarcian Scan

Smartermail Log
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] DMARC Results: Failed (Domain: its.ny.gov, Reason: SPF: False, DKIM: False, Alignments: 0, Domain: its.ny.gov, Action: reject), Reason: SPF: False, DKIM: False, Alignments: 0, Domain: its.ny.gov, Reject? True

[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] Beginning DMARC check for its.grp.plat.adhoc@its.ny.gov from IP 208.70.129.79...
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] ARC Chain verifier Errors: MessageSignatureValidationFailed
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] The from field for the message is "NYS mySend <its.grp.plat.adhoc@its.ny.gov>".  Will look for DMARC policy record at _dmarc.its.ny.gov
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] Retrieved the following DMARC policy record for "its.ny.gov": v=DMARC1;p=reject;pct=100;rua=mailto:re+taxx0e4mwfl@dmarc.postmarkapp.com;sp=reject;aspf=r;
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] Signature to verify:
[2025.01.15] v=1; a=rsa-sha256; c=relaxed/relaxed; d=its.ny.gov;    s=selector2;    h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;    bh=Hrgl6X64CJcUaCVd8DmQJa9iCIOfDabGBQOJ2kJTNhY=;    b=l8HVsGlFgahen9FiQuyd58QGUU60CtlBjwdEsIVO2HRrNGSSh8nW641ucl3BGj1QWot9F6TS3VegCluTZ0ZWlUb6mZ7ujh/9dAjEvvUN0F1OD0hx37fFJu72xMzS8wrBJAo1yVhOJm8/iEuo4fomCVICw/gfhtnWo1cTtG+FHZM=09:09:54.472 [208.70.129.79][1867840] DMARC: SPF failure.
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] DMARC: Bad DKIM signature.
[2025.01.15] 09:09:54.472 [208.70.129.79][1867840] DMARC DKIM domains; its.ny.gov SPF domain: its.ny.gov, DMARC domain: its.ny.gov. DKIM succeeded: False, SPF succeeded: False.

v=spf1 ip4:192.135.176.0/24 include:svc.ny.gov -all
SPF: ny.gov
v=spf1 mx ip4:170.123.0.0/16 ip4:161.11.224.0/22 include:svc.ny.gov include:service.govdelivery.com -all

SPF its.ny.gov Query for 208.70.129.79 Fail
SPF ny.gov Query for 208.70.129.79 Fail

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
J Lee Replied
1/17/2025 at 9:22 AM
Thanks Doug there was something else going on.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
J Lee Replied
1/17/2025 at 9:40 AM
Hi Kyle
It would also be nice to have a log entry for easy lookup. This way, Admins could easily search and find all legitimate emails for a specific domain that are being blocked by DMARC.

DMARC Testing for incoming [clientdomain] Fail or Passed

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
J Lee Replied
1/17/2025 at 9:46 AM
Hi Kyle

Another solution would be to add a setting to the Gateway page, Bypass Dmarc for this gate way. Yes or No

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
J Lee Replied
1/17/2025 at 10:01 AM
Hi Kyle 
Ok, I do have this gateway in the Security/Whitelist/ page, but there is no option to just skip DMARC.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
Employee Replied
1/17/2025 at 10:06 AM
Employee Post
Hello,

If you select the gateway's entry in the Whitelist and enable this setting, it should have the desired effect:
J Lee Replied
1/18/2025 at 8:57 AM
Hi Jorel
Thank you yes I saw that and was thinking that would solve the failed delivery but we would like to keep spam checks running and just turn off Dmarc for a Gateway.

J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
DMARC - In Simple TermsSmarterMail > Antispam and Antivirus
SPF - In Simple TermsSmarterMail > Antispam and Antivirus
Sender Verification Shield ExplanationSmarterMail > Antispam and Antivirus