AWS SES - SPF Raw Pass but DMARC Fail-unaligned

Hello All-

I’m a new user and I’m having a hard time understanding why email that has been sent from an authorized source (AWS SES) is showing SPF DMARC as “fail-unaligned”. This is happening despite the IP address shown in the “IP” column being directly included in my SPF record (It’s a dedicated IP from AWS).

The funny thing is that the SPF “Raw” column shows as “pass”. So if that passes, why is the DMARC SPF listed as “fail-unaligned”?

As a note, the DKIM DMARC does show as aligned so this is a pass, but it should be a pass on SPF as well.

See image below for reference.

Thank You!

Unaligned DMARC on SPF means that the RFC 5321 & RFC 5322 address domains don’t match.

The RFC 5321 address is the email address used in the SMTP transaction. You will sometimes see it referred to as the return-path. In your example it is amazones.com.

The RFC 5322 address is the From address that is included in the email itself. In your sample image, this is the blurred domain in the first column. Since these domains do not match you cannot pass DMARC with your SPF, even though the raw SPF passes.

I can’t really comment on your DKIM alignment in any detail since most of the relevant columns are truncated in your image.

1 Like

LinkP,
Thanks very much for the clear explanation, appreciate it.

Cheers!

Hello,

Are there recommendations how to fix it? How do I avoid this from happening again?

Thanks!

It’s unclear what you want to fix and prevent from happening. This thread is five months old and seemesto have run to completion. You might want to start a new thread explaining your issue.

I too am faced with the issue that SPF is Raw Pass because the sending server’s IP is in my SPF record but the DMARC check on the SPF is “fail-unaligned” due to the fact that the FROM in the email is <my_domain>.com whereas the PTR/Server is <aws_server_number>.smtp-out.amazonses.com. The email does pass DMARC due to DKIM passing.
The question is: is there any way to ensure that these emails will pass DMARC’s SPF check? After all, we do not want our emails to have a FROM that reads <aws_server_number>.smtp-out.amazonses.com. We want the FROM to read <my_domain>.com.
Is there any way to avoid this misalignment while still having the FROM read <my_domain>.com? Or do we just need to rely on our DKIM to pass DMARC?

Your concerns are for naught. What you describe is s perfectly normal and extremely common DMARC scenario. If your DKIM verifies, then your DMARC will, too. I wouldn’t spend another moment worrying about something that is functioning as intended.

Excellent, that is what I had hoped.
Thanks!

  • Yisrael
1 Like

In an effort to promote users to post their own topics without reviving old ones, this thread is now closed.

1 Like