A DKIM, SPF, and DMARC brain teaser with a meatworld prize!

Last night, a faithful reader and Marketo champ sent me a DKIM-related question that had a couple of interesting twists and turns. While I figured it out quickly (being steeped in this sort of stuff) it struck me as a perfect “How well do you understand anti-spam/anti-forgery technologies?” puzzle for my li'l martech community.

To make it less boring more awesome, there's a prize for the first reader who answers correctly by this Sunday (12/4). In homage to my utter reliance on coffee, and trying to avoid the obvious gift card, the winner gets a JavaPresse hand grinder. A $60 value in theory, and suitable for regifting if you're a freak who doesn't make her/his own coffee (or who doesn't drink caffeine, more seriously). No affiliate hijinks involved, btw — that link is plain-vanilla.

Adapting the question to not give too much away, here's what he wrote:

Gmail is saying this Marketo email is failing DMARC validation, affecting deliverability, but I don't understand why. I think DKIM and SPF are both in place for the domain, and I thought that would be enough to prevent outright failure.

He attached the headers of the message as received at Gmail (to preserve anonymity, the real domain has been changed to brainteaser.com wherever it appeared):

ss

Anything cut off in the image isn't important to the solution.

Since I protected the reader's domain, you can't do real DNS lookups on it yourself. (No other domains were changed.) But post in the comments and I'll reply back with results for any queries you need to help you out. I'll kick you off with a few (maybe...) pertinent results:

; <<>> DiG 9.10.1-P1 <<>> @4.2.2.1 _dmarc.brainteaser.com txt
;; opcode: QUERY, status: NOERROR, id: 20225
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

_dmarc.brainteaser.com. 300     IN      TXT     "v=DMARC1; p=none; fo=1; pct=100; 
 rf=afrf; rua=mailto:brainteaser@rua.agari.com,mailto:abuse@brainteaser.com; 
 ruf=mailto:brainteaser@ruf.agari.com"


; <<>> DiG 9.10.1-P1 <<>> @4.2.2.1 _dmarc.reply.brainteaser.com txt
;; opcode: QUERY, status: NXDOMAIN, id: 37553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

brainteaser.com.        39      IN      SOA     PDNS1.ULTRADNS.NET. 
 hostmaster.brainteaser.com. 2016091627 10800 3600 604800 300


; <<>> DiG 9.10.1-P1 <<>> @4.2.2.1 brainteaser.com txt
;; opcode: QUERY, status: NOERROR, id: 46039
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

brainteaser.com.        57      IN      TXT     "v=spf1 include:mktomail.com 
 include:spf.protection.outlook.com include:emailsrvr.com 
 include:spf.messagelabs.com -all"


; <<>> DiG 9.10.1-P1 <<>> @4.2.2.1 reply.brainteaser.com txt
;; opcode: QUERY, status: NOERROR, id: 27568
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

brainteaser.com.        39      IN      SOA     PDNS1.ULTRADNS.NET. 
 hostmaster.brainteaser.com. 2016091627 10800 3600 604800 300

For the prize: what are the two reasons this email fails DMARC?

Good luck!