Ask a question


How can we help you today?

Ask Question
Manage notifications
Subscribe to this question
Jesper Dahlstrøm

Subdomain in Dmarc report

Hi all,

Our dmarc reports sometimes shows our subdomain and this leads to failed DKIM and SPF.

We do not want to send out mails from name@sub.domain.dk

NOTE: the subdomain applied is actually our exchange 2016 FQDN.

example:

<record>
    <row>
      <source_ip>Our PUBLIC IP</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>domain.dk</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>subdomain.domain.dk</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>

but when it works it shows:

<record>
    <row>
      <source_ip> Our PUBLIC IP </source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from> domain.dk </header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain> domain.dk </domain>
        <result>pass</result>
        <selector>DOMAINKEY</selector>
      </dkim>
      <spf>
        <domain>domain.dk</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

Any clue how i can troubleshoot this?

 

 

asked05/18/2020 07:08
75 views
Add Comment
Mariette Knap

Why would it show the subdomain? Do you mean that the actual sender address is user@sub.domain.com? If that is the case you need to remove that from within Exchange Server.

Jesper Dahlstrøm

Hi Mariette,

Thanks alot for your quick response.

Thats what i dont know :D

i have absolutely no idea where that part is coming from.

I found a XML to human dmarc converter.

http://prntscr.com/sit6qc (i guess there is no valid reason to hide our IP or fqdn in this forum)

I dont understand why it shows the FQDN/Subdomain.

i cant find any sent mails in our logs that shows name@mail.eu-beds.dk

 

 

replied 05/18/2020 07:47
Mariette Knap

Does this look familiar to you?

Connecting to 217.63.110.25

220 mail.eu-beds.dk [672 ms]
EHLO keeper-us-east-1b.mxtoolbox.com
250-mail.eu-beds.dk Hello [52.55.244.91]
250-SIZE 37748736
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH NTLM
250-8BITMIME
250-BINARYMIME
250 CHUNKING [703 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 2.1.0 Sender OK [719 ms]
RCPT TO:<test@mxtoolboxsmtpdiag.com>
550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain [5734 ms]

LookupServer 11347ms

 

replied 05/18/2020 09:02
Mariette Knap

Is that ehob.dk a smarthost?

replied 05/18/2020 09:08
Jesper Dahlstrøm

No, Just a simple Receive connector.

replied 05/18/2020 09:15
Jesper Dahlstrøm

And the telnet connection does look familiar,

Mail.eu-beds.dk is our FQDN, 
217.63.110.25 is our IP

550 5.7.54 SMTP; Unable to relay recipient in non-accepted domain [5734 ms] 

is simply because we doesnt allow that IP :)

It works if you send from the inside or from a few validated public ips.

 

thanks

replied 05/18/2020 09:16
Reply
Last Activity 05/18/2020 09:16

No answers found

Add an Answer