DMARC Abuse Report received even though it passes DMARC
This article explains why you may receive a DMARC abuse report even though the message passes DMARC.
You receive the follow message to the email address configured for failure reporting:
This is an email abuse report for an email message received from IP <IP address> on <Date><Time>. For more information about this format please see
Below is some details information about this message:
1. SPF-authenticated Identifiers: pass
2. DKIM-authenticated Identifiers: pass
3. DMARC Mechanism check Result: pass
Understanding the Report
The following line confirms that the message was delivered to the recipient:
The following lines confirm that Authentication has failed:
This means that DKIM authentication method failed checks as per RFC7489 (external link).
The reason the Email Security service sends the message is because the DMARC record in your domain has the
fo=1 option set.
fo Dictates what type of authentication and/or alignment vulnerabilities are reported back to the Domain Owner.
There are four values for the
fo option however the following are relevant to this scenario:
0: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned “pass” result. (Default)
1: Generate a DMARC failure report if any underlying authentication mechanism produced something other than an aligned “pass” result.
To prevent these kinds of messages you should update your DMARC record to use
fo=0 or simply remove the option from the record entry.