This is complicated so here is a shot at explanation.
For DMARC to work, you need to alignment of either SPF or DKIM domains with the body from address. There are three places this matters.
- The body from address: quickpatents.com (5322.From)
- The DKIM domain: email-od.com (d=)
- the header.from address: emailcenterpro.com (RFC5321.MailFrom)
how many from addresses are there?
There are two – the message body and the smtp server’s MailFrom address.
how they all work
you set your “from address” in the message body. In this case it’s email@example.com.
Right before your SMTP server contacts the remote SMTP server, it signs the message using DKIM, and specifies where the receiving server can find the public key to validate the DKIM. (this is the d= and s= part of the dkim signature).
then your email service sets the header.from address when it does the backend communication from your SMTP server to the recipient’s SMTP server. There is a whole handshake happening that you don’t need to worry about. (this is where it says the spf and server ip address).
It’s amazing that you can legally send email with a made up body from address, any smtp spf address, and any dkim signature. Without aligning them, they are nearly pointless for email. There is a ton of machine learning to figure out which SMTP servers to trust, and which dkim domain signatures to trust.
looking at the dmarc
jon$ dig _dmarc.quickpatents.com txt +short
This says that there is no policy specified. Have a look here:
looking at the dkim
It’s looking up the signature and verifying against the dns entry.
jon$ dig dkim._domainkey.email-od.com txt +short
You need to host a dkim key at your domain quickpatents.com and point AWS to use it. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/easy-dkim.html
looking at the spf, these are the records looked up:
jon$ dig emailcenterpro.com txt +short
"v=spf1 include:email-od.com ~all"
jon$ dig email-od.com txt +short
"v=spf1 ip4:126.96.36.199/20 ip4:188.8.131.52/28 ip4:184.108.40.206/29 ip4:220.127.116.11/29 ip4:18.104.22.168/29 ip4:22.214.171.124/27 ip4:126.96.36.199/28 ip4:188.8.131.52/28 ip4:184.108.40.206/25 ~all"
The first ip4 is a mask that includes the smtp server ip address of 220.127.116.11, which is why SMTP passed.
You need to configure AWS to send a custom header.from that matches your sending domain, example, setup a header that maps .quickpatents.com to the AWS SMTP servers – see here for details: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html
Once they are all the same domain, dmarc will work.