[opendmarc-users] SPF record macro expansion

Steve Siirila sfs at umn.edu
Tue Sep 6 13:57:35 PDT 2022


Has anyone experienced issues with DMARC validation of email coming from
sites which should pass SPF and therefore pass DMARC but don't?

In our real-life example, we are receiving email from Service Now IP
addresses with a sender (envelope FROM) domain of USER at purestorage.com and
a header FROM domain of USER at purestorage.com.  Because purestorage.com has
a DMARC reject policy, either SPF or DKIM must pass before we will accept
the email.  There is no DKIM record, and the SPF record is rather complex:

purestorage.com. 300 IN TXT "v=spf1
include:purestorage.com._nspf.vali.email
include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

After substituting IP address, helo name, and domain name in the above, the
returned SPF record resolves to this value:

"v=spf1 include:service-now.com -all"

As such, DMARC should pass, but does not.  Is opendmarc known to have
issues with SPF record macro expansion?  Has anyone had any experience with
this sort of setup?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20220906/f3d65553/attachment.htm>


More information about the opendmarc-users mailing list