Forum Discussion
Hi all, thanks for raising for this.
Yahoo and Google made some security updates earlier this year which means we have to update our email configuration but we were already in the process of changing our configuration for another of our domains which may have a knock on impact so we're just trying to bundle all the changes in together so it may take a little bit longer than you'd expect.
Thanks,
Kei_M The issue is not with your domain itself, it's to do with the configuration of the outbound settings on the Khouros mail system.
Currently it's sending the mail with the following From: address.
From: Virgin Media Community Support
<VirginMediaCommunitySupport@virginmedia.co.uk>
This is what I'd expect.
DMARC will use this domain when validating SPF and DKIM checks.
The Authentication results from Microsofts server shows what's happening.
Authentication-Results: spf=pass (sender IP is 149.72.175.76)
smtp.mailfrom=em7732.eu.khoros-mail.com; dkim=pass (signature was verified)
header.d=eu.khoros-mail.com;dmarc=fail action=quarantine
header.from=virginmedia.co.uk;compauth=fail reason=000
The SPF and DKIM checks pass but these are evaluated against the eu.khoros-mail.com domain.
Because the From: address is in the virginmedia.co.uk domain DMARC fails because SPF and DKIM are not evaluated against this domain.
How to fix this.
Ask Khoros if it's possible to amend the DKIM settings on the outbound messaging so it signs it with a virginmedia.co.uk DKIM signature instead of a khoros one.
AND/OR
Ask khoros if it's possible to modify the mail from: address of the outbound mails so it falls in the virginmedia.co.uk domain (mail from: is the envelope sender, which can differ from the From: address)
For DMARC to pass only one verification method needs to succeed either DKIM or SPF - but the domains of the checks MUST be aligned.
This should be a quick fix and if you use DKIM - all you have to do is add a single TXT DNS entry to the virginmedia.co.uk domain with the public DKIM key used to validate the signature.
Tim
- ravenstar686 months agoVery Insightful Person
To add to the above - there's nothing wrong with your SPF record either.
As a test I popped the khoros server IP into Kitterman's SPF checker and instead of using khoros' mail from: identity I used the address in your From: header
Here's the results
Mail sent from this IP address: 149.72.175.76 Mail from (Sender): VirginMediaCommunitySupport@virginmedia.co.uk Results - PASS sender SPF authorized
In short - you don't need to be modifying your domains, you just need to talk to Khoros. As they send on behalf of multiple domains - they should have a mechanism for dealing with this issue.
Tim
Related Content
- 6 months ago
- 2 months ago