CODEWITHSUNDEEP
spfdmarc
jdetaeye
jdetaeye

Reputation: 63

how to explain this DMARC SPF failure?

My daily DMARC contains the following record. Can somebody explain the SPF failure?

All looks set up correctly on my domain and also the spf validation further in the record passes. I'm a bit puzzled.

 <record>
    <row>
      <source_ip>AN-IP-ADDRESS</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>         WHY??????  WHAT CAUSES THIS TO FAIL HERE?
      </policy_evaluated>
    </row>
    <identifiers>
      <envelope_to>A-DOMAIN</envelope_to>
      <envelope_from>A-DOMAIN_ALLOWED-TO-SEND-MAILS</envelope_from>
      <header_from>MY-DOMAIN</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>MY-DOMAIN</domain>
        <selector>smtpapi</selector>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>A-DOMAIN_ALLOWED-TO-SEND-MAILS</domain>
        <scope>mfrom</scope>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

The policy records in the report are as follows:

  <policy_published>
    <domain>MY-DOMAIN</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>none</sp>
    <pct>100</pct>
    <fo>1:d:s</fo>
  </policy_published>

Upvotes: 3

Views: 1409

Answers (1)

Kaspar Etter
Kaspar Etter

Reputation: 3518

This looks like an alignment failure. The purpose of DMARC is to authenticate the header-from address:

A message is considered to be authentic if the domain of the From address [<header_from>] matches the SPF-authenticated domain of the MAIL FROM address [<envelope_from>] or the domain of a valid DKIM signature.

In other words, SPF succeeds for A-DOMAIN_ALLOWED-TO-SEND-MAILS, but since A-DOMAIN_ALLOWED-TO-SEND-MAILS and MY-DOMAIN don't have the same organizational domain, the relaxed DMARC alignment fails. See here for another example of that. If the email was sent from an email service provider (ESP), your configuration is probably fine. The ESP uses their domain in the <envelope_from> address so that they can handle bounce messages for you. If, on the other hand, the email was sent from your mailbox provider, the mailbox provider should use MY-DOMAIN in the <envelope_from> address.

Upvotes: 5

Related Questions