DMARC reports both success and failure for selector1

James Slora 21 Reputation points
2022-07-01T15:11:10.43+00:00

We have DKIM configured correctly, I think, but are getting unexpected mixed results from DMARC aggregate reports. I'm using contoso as a placeholder for the real domain prefix. My records do not literally say "contoso".

CNAME selector2._domainkey.contoso.com 7200 selector2-contoso-com._domainkey.contoso.onmicrosoft.com.
CNAME selector1._domainkey.contoso.com 7200 selector1-contoso-com._domainkey.contoso.onmicrosoft.com.

The DMARC aggregate report from Google shows both success and failure for selector1. What does this mean? Clearly the mail would be rejected if our DMARC was not currently p=none, so it's important to figure it out.

<record>
<row>
<source_ip>40.107.220.97</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>contoso.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>contoso.com</domain>
<result>pass</result>
<selector>selector1</selector>
</dkim>
<dkim>
<domain>contoso.com</domain>
<result>fail</result>
<selector>selector1</selector>
</dkim>
<spf>
<domain>contoso.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,228 questions
0 comments No comments
{count} votes

Accepted answer
  1. Michel de Rooij 1,531 Reputation points MVP
    2022-07-02T00:21:51.777+00:00

    Based on the extract you posted, for DKIM authentication, in the stream of messages there were fail and pass reports for the domain contoso.com using selector1. There was one sending IP used in this process, 40.107.220.97. Messages can contain multiple DKIM signatures, for example due to forwarding. Consequently, you may find multiple DKIM entries in an DMARC aggregate report.
    In principle, messages pass DMARC if any DKIM signature is verified and aligned (domain d= of signature aligns with domain found in from).

    0 comments No comments

0 additional answers

Sort by: Most helpful