There are 2 types of “fail and pass” within a DMARC report. There is the policy evaluation, which is the DMARC verdict for DKIM and SPF, as well as the individual SPF and DKIM check results.
Let’s assume for a moment that example.net has a SPF record configured and authorizes 192.0.2.10. The auth_results section of the XML report is the authentication results of the check based on the domain being evaluated. DMARC alignment is not being considered here. In our example, the result here would be a pass since the domain example.net permits 192.0.2.10 to send on its behalf.
The policy_evaluated section of the report correspond to the alignment check result (DMARC result) for that specific authentication mechanism. In our example, it would be SPF fail, since it is not enough that the SPF check pass, since the domain evaluated does not match the From: header domain.
1.Does the SPF and DKIM authentication are always done on the MAIL FROM (RFC5321.From) ?
2.Does the Header from (RFC5322.From) can be any domain if DMARC alignment is configured ?
To sum up :
SPF authentication is always on the domain declared in the RFC5321.FROM field
DKIM authentication is always on the domain declared in the RFC5322.FROM field
DMARC SPF: need alignment between RFC5321 and RFC5322 domains.
And what about DMARC DKIM alignment, need alignment between RFC5321 and RFC5322 domains ?
DKIM validation has no basis on the RFC5321 sender domain. The adkim flag refers to whether an exact FQDN match is required or if an organizational domain match is sufficient. Strict or relaxed alignment refers to the relationship between the signing domain found in the d= field of the DKIM header and the domain of the RFC5322 sender.
In case a SPF <auth_results> display gmail.com, what does it means ?
In my context, gmail.com is not authorize to send email with “from” my domain, so it can’t be a “pass” here :
This would indicate an instance of email forwarded automatically by gmail.com.
Automatic email forwarding refers to the process of automatically redirecting incoming emails from one email address to another. This feature is commonly used when individuals want to consolidate their email accounts or manage multiple email addresses from a single inbox. It is by no means the only scenario however.
When an email is forwarded automatically, it essentially passes through multiple email systems. This can introduce challenges for DMARC authentication because the original SPF and DKIM information might not align with the forwarding server. As a result, the email’s authentication status can be affected, and DMARC alignment checks may fail.
This is most often represented in DMARC data by showing a passing DKIM signature aligned with your domain, but an unrelated RFC5321 domain. That domain is the forwarding domain, and you find it there due to SRS or Sender Rewriting Scheme.
SRS is the process whereby a forwarder rewrites the 5321 Mail From address to their own domain so that SPF may pass. Helpful when SPF was the only anti spoofing technology used, less so now with DMARC as it introduces an alignment failure.
Ultimately, you have no control over this kind of forwarding, but most often than not it is benign. It signifies you have sent a likely legitimate email to gmail.com, and the recipient has an automatic forward in place.
The reasons one might choose to forward an email address are too numerous to create an exhaustive list and have no relevance to DMARC as they are beyond the control of the sender.
