DMARC Abuse Report received even though it passes DMARC

Updated 6 days ago by admin

This article explains why you may receive a DMARC abuse report even though the message passes DMARC.

You receive the follow message to the email address configured for failure reporting:

This is an email abuse report for an email message received from IP <IP address> on <Date><Time>. For more information about this format please see

https://help.clouduss.com/ems-knowledge-base/dmarc-failure-reporting

Below is some details information about this message:
   1. SPF-authenticated Identifiers: pass
   2. DKIM-authenticated Identifiers: pass
   3. DMARC Mechanism check Result: pass
You can view the ATT00001.dat attachment for further information as to the actions taken on the email.

Understanding the Report

The following line confirms that the message was delivered to the recipient:

Delivery-Result: delivered

The following lines confirm that Authentication has failed:

Feedback-Type: auth-failure

Identity-Alignment: dkim

This means that DKIM authentication method failed checks as per RFC7489 (external link).

The reason the Email Security service sends the message is because the DMARC record in your domain has the fo=1 option set. 

fo Dictates what type of authentication and/or alignment vulnerabilities are reported back to the Domain Owner.

There are four values for the fo option however the following are relevant to this scenario:

0: Generate a DMARC failure report if all underlying authentication mechanisms fail to produce an aligned “pass” result. (Default)

1: Generate a DMARC failure report if any underlying authentication mechanism produced something other than an aligned “pass” result.

For more information on this option see RFC7489 (external link) section 6.3 General Record Format

Resolution

To prevent these kinds of messages you should update your DMARC record to use fo=0 or simply remove the option from the record entry.


How did we do?