DeutschEnglish

Submenu

 - - - By CrazyStat - - -

14. December 2016

Microsoft and AOL sending DMARC aggregate reports (RUA) without DKIM signature

Filed under: Server Administration — Tags: , , , , , , , — Christopher Kramer @ 19:18

Just noticed that Microsoft and AOL are sending their DMARC aggregate reports without a DKIM signature. This alone is not uncommon, lots of small mail providers don’t use DKIM for their DMARC aggregate report mails. But the domains that Microsoft and AOL use as sender of their aggregate report mails have DMARC policies themselves. AOL even sets p=reject in their policy, which means that a mail server checking DMARC policies would reject aggregate reports sent by AOL if SPF fails, e.g. because the mail was relayed in between.

This is their DMARC policies:

_dmarc.aol.com.         2083    IN      TXT     
     "v=DMARC1\; p=reject\; pct=100\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\;"

_dmarc.microsoft.com.   391     IN      TXT     
     "v=DMARC1\; p=quarantine\; pct=100\; rua=mailto:d@rua.agari.com\; ruf=mailto:d@ruf.agari.com\; fo=1"

And this are the SPF records:

aol.com.                3190    IN      TXT     
     "v=spf1 ptr:mx.aol.com include:spf.constantcontact.com include:aspmx.sailthru.com include:mail.zendesk.com ~all"

abuse.aol.com.          227     IN      TXT     
     "v=spf1 ip4:204.29.186.192/26 ip4:204.29.187.0/27 -all"

microsoft.com.          1683    IN      TXT     
 "v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com ip4:147.243.128.24 ip4:147.243.128.26 ip4:147.243.1.153 ip4:147.243.1.47 ip4:147.243.1.48 -all"

AOL is sending its aggregate reports from abuse_dmarc@abuse.aol.com, and the SPF records of this subdomain has a strict “-all” (which aol.com doesn’t). Microsoft sends the reports from dmarcrep@microsoft.com, and microsoft.com also uses “-all”.

Google for example sends its aggregate reports with DKIM signature, so DMARC evaluation runs smooth. SPF is relaxed “~all” at google.com, but DMARC nowadays is “p=reject”, which I was a little surprised to see.

So in conclusion, if you really want to get your DMARC aggregate reports, you should not strictly follow the DMARC policies of the others, otherwise you might miss some reports…

And if you set up a mail server yourself that sends DMARC reports, don’t forget to sign those mails with DKIM as well.

Recommendation

Try my Open Source PHP visitor analytics script CrazyStat.