Understand SPF as it relates to DMARC Reports

[nickumia-reisys]

Purpose

We want to know we are setting up DMARC (DKIM+SPF) properly for our ses instances, but we're not sure how to interpret the DMARC reports from google.

Given above question, conducting research/investigation is needed to provide factual knowledge on future steps.

1d of effort has been allocated and once compete, findings will be demonstrated and specific future actions will be decided.

Acceptance Criteria

• GIVEN [a contextual precondition]
  [AND optionally another precondition]
  WHEN [time box] expires
  THEN [findings demonstrated]
  AND [future action is decided]
  AND [stories covering future action are created if needed]

Background

DMARC Reports from Google.

<record>
  <row>
    <source_ip>x.x.x.x</source_ip>
    <count>49</count>
    <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>ses-513xxx.ssb.data.gov</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>ses-513xxx.ssb.data.gov</domain>
      <result>pass</result>
      <selector>xxx</selector>
    </dkim>
    <dkim>
      <domain>amazonses.com</domain>
      <result>pass</result>
      <selector>xxx</selector>
    </dkim>
    <spf>
      <domain>us-west-2.amazonses.com</domain>
      <result>pass</result>
    </spf>
  </auth_results>
</record>

Sketch

List of references to start with:

• https://serverfault.com/questions/1082949/why-does-spf-fail-in-dmarc-report-from-google
• https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dmarc.html

[nickumia-reisys]

SPF is a feature of DMARC that prevents against unauthorized servers from sending emails from a domain. There are two modes for SPF: (1) relaxed and (2) strict. Strict SPF requires that all servers must be from the exact domain to which the email is configured. Relaxed SPF allows servers to be configured with either the exact domain or any one-level subdomains.

If a domain customdata.org is used as the email domain,

• Strict SPF required that all email servers be routed from only customdata.org
• Relaxed SPF allows the email servers to reside at any *.customdata.org domain.

For our use case, we have DMARC set up for all of our email domains (i.e. ses-xxx.ssb.data.gov). However, the emails are "mailed by" or "mailed from" us-west-2.amazonses.com. Since us-west-2.amazonses.com != ses-xxx.ssb.data.gov, SPF fails both strict and relaxed SPF.

According to AWS Support,

To resolve this, you must set up a custom MAIL FROM domain so that the Mail From value is a subdomain of your verified domain. For example, if your verified domain (the From domain) is example.com, then you can set up the custom Mail From domain to be mail.example.com.

Ironically enough, we got a friendly contribution from a sibling team in TTS that allows us to configure MAIL FROM,

• Enable Custom MAIL FROM GSA-TTS/datagov-brokerpak-smtp#23

From this investigation, it would seem that setting the MAIL FROM domain would solve the SPF failure. I will test and try to figure out if it is safe to upgrade our ssb-smtp with the new feature.

[nickumia-reisys]

Successfully modified the MAIL FROM domain on a test instance. And since mail.ses76xxx.ssb.data.gov is a subdomain of ses76xxx.ssb.data.gov, it will pass the relaxed SPF checks from google.

Implementing this work will be taken care of in

• Fix SPF Verification #3971