Domain-Name-System

為什麼這個 DMARC 驗證失敗?

  • August 19, 2021

我在 mail-tester.com 上獲得了 6.1/10 的分數,其中 DMARC 驗證是唯一相關的懲罰 (-3)。

* Your DKIM signature is valid

* Your message failed the DMARC verification
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC.

You are not allowed to send a message with this address

DMARC DNS entry found for the domain _dmarc.mail.example.com:

"v=DMARC1;p=reject;rua=mailto:dmarc-reports@example.com"
Verification details:

mail-tester.com; dmarc=fail header.from=mail.example.com
mail-tester.com; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mail.example.com header.i=no-reply@mail.example.com header.b=MVNy47/y; dkim-atps=neutral
From Domain: mail.example.com
DKIM Domain: mail.example.com

電子郵件通過 SMTP 中繼通過付費 mailjet 帳戶發送。

這是我的 DNS 配置,mailjet 將 DKIM 和 SPF 報告為“正常”:

@                        IN TXT "v=spf1 include:_spf.google.com ~all"
_dmarc.example.com.      IN TXT "v=DMARC1;p=none;sp=none;pct=50;adkim=r;aspf=r;"
_dmarc.mail              IN TXT "v=DMARC1;p=reject;rua=mailto:dmarc-reports@example.com"
default2103._domainkey   IN TXT "v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwBTlvBdpQXS3+g6rPM4fd" "O5EFHrt6EDRS6HMAzf4yYVsp9JwC145ftSzmw/qwdeW3c+JlwvqAipM2qf//A4HG/tpxV9ASX7Qa" "Yew6QlngiXB+T/ih37NrgUE0B2sUpijQ0n5mVd3sAstOQNPhyg5JeWOiJLLJS7xWbu/zwJ+WMB8h" "Phl5ZLrtfscsB56EawBJS/spGTKdOcq6aNm1yPUYvnWQsbWziuV9Y7NLb1yapauks1Yxug75HA12" "Zf7YTuaHPXuK+BSOSEzSUd5R/Fk7UZ1Ba1uX/OdcNKxZtaI0oYePHp9xzSMlWrj2RGbQP9WCKA0R" "HPHEKIwchsqXbIW6QIDAQAB" 
mail                     IN TXT "v=spf1 include:spf.mailjet.com -all"
mailjet._bf00f643.mail   IN TXT bf00f643e7c8377f55faab9307581acd
mailjet._domainkey.mail  IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs9LUxwgF8P0uV+ulltAAyITc3aRqgsAVlr2ZygTnuYJQ10gSPU2M7NAKJTck3P10F8F49t2BnBYsKzUo4AHlZ7V5kafYu3c9Gd50TfcMyqbGB1CL+ITfRxxh3opTTMZAvcCv/EpH9+dG1iw1a1ahZHTC2TvfF6k0thbIWjWIgQwIDAQAB"
@                   3600 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 1 ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@                   3600 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.

我用example.com. Google工作區使用主域,但 mail.exmaple.com 用於交易電子郵件。我正在嘗試通過 mail.example.com 發送。

這是電子郵件:

Received: by mail-tester.com (Postfix, from userid 500)
   id 4C207A988D; Tue, 27 Jul 2021 16:51:48 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-tester.com
X-Spam-Level: 
X-Spam-Status: No/0.9/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
   HEADER_FROM_DIFFERENT_DOMAINS=0.249,HTML_MESSAGE=0.001,
   HTML_MIME_NO_HTML_TAG=0.635,MIME_HTML_ONLY=0.1,SPF_HELO_PASS=-0.001,
   SPF_PASS=-0.001,URIBL_BLOCKED=0.001
X-Spam-Last-External-IP: xx.xxx.xxx.xxx
X-Spam-Last-External-HELO: o123.p8.mailjet.com
X-Spam-Last-External-rDNS: o123.p8.mailjet.com
X-Spam-Date-of-Scan: Tue, 27 Jul 2021 16:51:48 +0200
X-Spam-Report: 
   *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
   *      blocked.  See
   *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
   *      for more information.
   *      [URIs: mjt.lu]
   * -0.0 SPF_PASS SPF: sender matches SPF record
   * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
   *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
   *      mail domains are different
   *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
   *  0.0 HTML_MESSAGE BODY: HTML included in message
   *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
   *       valid
   * -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
   * -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
   *      author's domain
   *  0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
   *      tag
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=xx.xxx.xxx.xxx; helo=o123.p8.mailjet.com; envelope-from=xxxxx.xxxxxxxx@bnc3.mailjet.com; receiver=test-xxxxx@srv1.mail-tester.com 
DMARC-Filter: OpenDMARC Filter v1.3.1 mail-tester.com 9F060A988C
Authentication-Results: mail-tester.com; dmarc=fail header.from=mail.example.com
Authentication-Results: mail-tester.com;
   dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=mail.example.com header.i=no-reply@mail.example.com header.b=MVNy47/y;
   dkim-atps=neutral
Received: from o123.p8.mailjet.com (o123.p8.mailjet.com [xx.xxx.xxx.xxx])
   (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
   (No client certificate requested)
   by mail-tester.com (Postfix) with ESMTPS id 9F060A988C
   for <test-xxxxxx@srv1.mail-tester.com>; Tue, 27 Jul 2021 16:51:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; q=dns/txt;
 d=mail.example.com; i=no-reply@mail.example.com; s=mailjet;
 h=message-id:mime-version:from:reply-to:to:subject:date:list-unsubscribe-post:
 list-unsubscribe:feedback-id:x-csa-complaints:x-mj-mid:x-mj-smtpguid:
 x-report-abuse-to:content-type:content-transfer-encoding;
 bh=TIkRui7Va59h4geTtPXAKHua6pDPeJyum82T2lGo2Ww=;
 b=MVNy47/y6hs1gHGz8eiJlWuG18UsJ/Fhxa5vf7K5tDJt1jSfpePjd2YCb
N1jbcfPt57l77VjSd8+vcwC2g5+yWyBHfkTuF8F7fGA9Vgn740zOLpMVjxlx
PX71Bkay8jB4kG7Shtpus9XU+/a9WN5E9ygqWReclkE7X3uNqd78pQ=
Message-Id: <xxxxx.xxxxxx@mailjet.com>
MIME-Version: 1.0
From: Example <no-reply@mail.example.com>
Reply-To: info@example.com
To: test-xxxxxx@srv1.mail-tester.com
Subject: Example Registrierung
Date: Tue, 27 Jul 2021 14:51:38 +0000
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe:
   <mailto:xxxxx.mailjet.com>,
   <https://xxxxxxxxxxxxxxxxx>
Feedback-Id: 42.1636236.1611053:MJ
X-CSA-Complaints: csa-complaints@eco.de
X-MJ-Mid:
   xxxxxxx
X-MJ-SMTPGUID: 4c0f08ce-7ed4-457b-9f60-fdf493ab9e3e
X-REPORT-ABUSE-TO: Message sent by Mailjet please report to
   abuse@mailjet.com with a copy of the message
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

我不明白為什麼驗證失敗以及我能做些什麼?其他工具dmarcanalzer說配置沒問題。


編輯

將郵件發送到 gmail 帳戶會進入垃圾郵件。但是,在 gmail 中顯示“原始消息”會報告 SPF、DKIM 和 DMARC 的“通過”:

gmail 報告 SPF、DKIM 和 DMARC 的“通過”

原因是這樣的:(1024-bit key; unprotected) 您只需將 DKIM 密鑰替換為 2048 位密鑰,就可以了。

希望對你有幫助^_^

引用自:https://serverfault.com/questions/1074935