Re: DKIM + DMARC with Contact Forms?

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Sun, 29 Dec 2013 21:22:36 -0800 (PST)

On Sun, 29 Dec 2013, Steve Jenkins wrote:
> The From: and Reply-To: are based on what the user enters into the web
> form,
> making it easy for us to simply reply to the incoming email. However,
> we're
> seeing a dmarc=fail -- and I'm assuming it's because the
> header.from=gmail. com. The spf=pass and dkim=pass (because OpenDKIM
> signs anything leaving pap erboy.cheatcodes.com), and I'm under the
> false assumption that if either spf
> or dkim passes, that meant a dmarc pass.
>
> Any ideas on how we can configure so that we get a dmarc=pass?

In addition to asserting that one of DKIM and SPF has to pass, DMARC also
requires that the domains those methods authenticate have to align with
what's in the From: field. In this case your From: domain was
"gmail.com", SPF passed for "google.com", and your DKIM signature was for
"cheatcodes.com", so DMARC wasn't satisfied.

Any change you can make that satisfies the alignment test will make DMARC
happy, so you could get it signed somehow by gmail.com, or make sure the
From: domain is always something_at_cheatcodes.com (maybe a random hash
alias?), etc.

-MSK
Received on Mon Dec 30 2013 - 05:22:54 PST