We send email (AR Statements) to customers through our CDK Global dealer management software. Recently, about half of the emails are failing, while the other half are delivered/received successfully. According to the email header SPF passes but DMARC fails. This contradicts dmarcian’s domain checkers which indicate that DMARC is valid but that we don’t have an SPF record… this is confusing to me because we do have an SPF record and as such I am having difficulty determining where the problem is. Any suggestions would be most welcome. Thank you.
Subject: Delivery Status Notification (Failure)
SPF: PASS with IP 207.186.148.25 Learn more
DMARC: ‘FAIL’ Learn more
ARC-Authentication-Results: i=1; mx.google.cxm;
spf=pass (google.com: best guess record for domain of
postmaster@laspsmtp.cdk.cxm designates 207.186.148.25 as permitted
sender) smtp.helo=laspsmtp.cdk.cxm;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=cdk.cxm
(domains edited by me so they aren’t links…)
DMARC
Your domain has a valid DMARC record and your DMARC policy will prevent abuse of your domain by phishers and spammers.
To add to @beekeeper 's comment, based on the headers Google did a “best guess” check. They do that when the domain as per RFC it is meant to check has no SPF record. While the header from is mentioned to be cdk.cxm, SPF checks are not done against the domain of that email address, also known as the RFC5322 From Header. An SPF check is done by the receiver by looking up an SPF record in the domain extracted from the return-path address, also known as the RFC5321 Mail From (https://tools.ietf.org/html/rfc7208#section-1.1.3).
Either the return-path here used is postmaster@laspsmtp.cdk.cxm, or it was null and laspsmtp.cdk.cxm was given as the EHLO identity. Either way, a subdomain does not inherit the SPF record from its parent. This means laspsmtp.cdk.cxm will need its own SPF record if the current way of sending these emails will be maintained.
