[opendmarc-users] DMARC fail and reject for one sender

Thu May 18 06:38:28 PDT 2017

My mail filters are running opendmarc 1.3.2 and I started rejecting failed DMARC checks a couple of months ago for domains with "p=reject" (honoring their own policy).  I have one particular sender that is using dmarcian.com services that is failing.  Sender agents.icims.com is being rejected so I had to add it to the opendmarc.conf IgnoreMailFrom.

When I contacted the sender, they say they have had DMARC in place for many years and have not made any changes lately so it's a problem on my end, of course.

DMARC record:
# dig _dmarc.agents.icims.com txt +short
"v=DMARC1\; p=reject\; rua=mailto:dmarc_agg at vali.email,mailto:nfivm2st at ag.dmarcian.com\; ruf=mailto:dmarc_d2a54d9a_afrf at vali.email,mailto:nfivm2st at fr.dmarcian.com"

SPF record:
# dig agents.icims.com txt +short
"v=spf1 include:agents.icims.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

I had never seen an SPF record like this before so that must be something fancy that dmarcian.com setup.  It appears to dynamically substitute values to provide specific SPF results per IP, HELO, and domain.  My mail filters are saying that the SPF checks are passing which is confirmed by this DNS query:

# dig 162.247.160.153._ip.icims-talentplatform-160153.email.icims.tools._ehlo.agents.icims.com._spf.vali.email txt +short
"v=spf1 ip4:162.247.160.0/21 -all"

The SPF check above should be passing based on the headers below.

Received: from (icims-talentplatform-160153.email.icims.tools [162.247.160.153])
     (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
     (No client certificate requested)
     by smtp4n.ena.net (Postfix) with ESMTPS id 42DA31495A15
     for <redacted at example.com>; Thu, 18 May 2017 08:04:07 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=agents.icims.com; i=@agents.icims.com; q=dns/txt;
s=platform; t=1495112647; x=1526648647;
h=date:from:reply-to:to:message-id:subject:mime-version:
list-unsubscribe;
bh=mK9tYZSXgYsfaJFFq6+J8sLbSg0NLnZmqZD2WIfhNJ8=;
b=dhNLMSvRj3sRN5EfgJFkOoO8XslY3FtEIWdBG+bg1Cz6eGPbT/SgCMyW
UTBZceunCXpgpr1B3NmMxUrfRlYOGNQ6h/YfiSjWLUAy9JkoEw82/iEmi
EyzgJlfXQYcnzsx2153GhW6h35HJPsapuycDDRQgHc3U70nqkP3M85Rad
7UR8kw9qk8fssJxuRakLfkp50SILM5f1OZ08Eq72lHJMQ0VoOlijzSXTT
+2xbcbhj7aTobqgjiQ3c1xntdAz51QKsXUWyxodWhns+k7an6cu7UP3JC
+TuDM7We8+fV3S7+L8ysI6FUriJfTHN5bN6pI5EnQaBd4BazRxpKqGksv
g==;
X-IronPort-AV: E=Sophos;i="5.38,359,1491278400";
d="scan'208";a="124188043"
Received: from unknown (HELO ip-10-47-5-152.ec2.internal) ([10.30.10.250])
by icims-talentplatform-160160.email.icims.tools with ESMTP; 18 May 2017 09:04:06 -0400
Date: Thu, 18 May 2017 09:04:06 -0400 (EDT)
From: "Redacted @ icims" <redacted+autoreply at agents.icims.com>
Reply-To: <redacted+autoreply at agents.icims.com>
To: redacted at example.com
Message-ID: <1231579031.27096.1495112646680 at ip-10-47-5-152.ec2.internal>
Subject: Application Status from Redacted
MIME-Version: 1.0
Content-Type: multipart/alternative;
     boundary="----=_Part_27094_1697637749.1495112646679"
List-Unsubscribe: <mailto:redacted+autoreply+3FF632589 at agents.icims.com?subject=unsubscribe&contactId=129434>, <https://redacted.icims.com/icims2/?r=3FF632589&contactId=129434&pid=108&process=1>
X-iRecruiter-Type: TX
X-iCIMS-Type: TX
X-iCIMS-Priority: Auto
X-iRecruiter-Source: redacted

Here's what my Postfix logs show when I don't have agents.icims.com in the opendmarc.conf IgnoreMailFrom:

May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: SPF(mailfrom): redacted+bounce+1lri-ec0a7e8591 at agents.icims.com fail
May 15 12:25:41 server1 opendmarc[11384]: 848BB14806A9: agents.icims.com fail
May 15 12:25:41 server1 postfix/cleanup[20227]: 848BB14806A9: milter-reject: END-OF-MESSAGE from icims-talentplatform-160152.email.icims.tools[162.247.160.152]: 5.7.1 rejected by DMARC policy for agents.icims.com; from=<redacted+bounce+1lri-ec0a7e8591 at agents.icims.com> to=<redacted at example.com> proto=ESMTP helo=<icims-talentplatform-160152.email.icims.tools>

Any help or direction is much appreciated.

Dave