Can someone explain this to me plase?

We recently setup spf, dkim and dmarc. We got this report tonight. can someone explain to me a bit more on what this means and if we should be worried:

<?xml version="1.0"?>
<feedback xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <version>1.0</version>
  <report_metadata>
    <org_name>Outlook.com</org_name>
    <email>dmarcreport@microsoft.com</email>
    <report_id>fe794262683c4ddebcf57f8871c17c71</report_id>
    <date_range>
      <begin>1708041600</begin>
      <end>1708128000</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>test.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
    <fo>0</fo>
  </policy_published>
  <record>
    <row>
      <source_ip>209.85.160.174</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <envelope_to>hotmail.com</envelope_to>
      <envelope_from>test.com</envelope_from>
      <header_from>test.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>test-com.20230601.gappssmtp.com</domain>
        <selector>20230601</selector>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>test.com</domain>
        <scope>mfrom</scope>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

How is it that it failed dkim but pass spf?

The message did not contain a valid DKIM signature for the RFC 5322 From domain and selector combination. You can see from the XML data that the signing key was from the domain test-com.20230601.gappssmtp.com which does not match your alleged RFC 5322 From domain of test.com.

You can see that the RFC 5321 envelope from domain matched the RFC 5322 From domain. As long as 209.85.160.174 is in that domain’s SPF record it will pass. The domain you are asking has no published SPF record. This indicates that you have falsified the data that you asked us to evaluate, so it is impossible to provide you with a real answer. You will have to look up the SPF record and compare it yourself.

It is a lot easier to review DMARC report data in the dashboard of a sevice like dmarcian than it is to attempt to read XML files. You really ought to consider adopting such a practice.

Does that answer your question?

1 Like