Dmarc report : spf fail and pass for one record

Hi all,
I’m receiving some dmarc report i can’t understand, for example this record who display :

  • SPF from <policy_evaluated> with “fail” value
  • SPF from <auth_results> with “pass” value
<record>
     <row>
       <source_ip>200.12.23.xx</source_ip>
       <count>1</count>
       <policy_evaluated>
         <disposition>none</disposition>
         <dkim>pass</dkim>
         <spf>fail</spf>
       </policy_evaluated>
     </row>
     <identifiers>
       <header_from>mydomain.com</header_from>
     </identifiers>
     <auth_results>
       <dkim>
         <domain>mydomain.com</domain>
         <result>pass</result>
         <selector>selector1</selector>
       </dkim>
       <spf>
         <domain>notmydomain.org</domain>
         <result>pass</result>
       </spf>
     </auth_results>
</record>

If someone can help me to understand, it will be great !

Hi kadmarc and welcome to the forums!

There are 2 types of “fail and pass” within a DMARC report. There is the policy evaluation, which is the DMARC verdict for DKIM and SPF, as well as the individual SPF and DKIM check results.

Let’s imagine:

Sending IP: 192.0.2.10
From header domain: example.org
MAIL FROM: example.net

Let’s assume for a moment that example.net has a SPF record configured and authorizes 192.0.2.10. The auth_results section of the XML report is the authentication results of the check based on the domain being evaluated. DMARC alignment is not being considered here. In our example, the result here would be a pass since the domain example.net permits 192.0.2.10 to send on its behalf.

The policy_evaluated section of the report correspond to the alignment check result (DMARC result) for that specific authentication mechanism. In our example, it would be SPF fail, since it is not enough that the SPF check pass, since the domain evaluated does not match the From: header domain.

I hope this helps!

2 Likes

Hello Asher !

Thank you for your answer :slight_smile:
I understand this dmarc report now !

I wish you a good day.
Cheers

Hello Asher,
This raises two questions :

1.Does the SPF and DKIM authentication are always done on the MAIL FROM (RFC5321.From) ?
2.Does the Header from (RFC5322.From) can be any domain if DMARC alignment is configured ?

Cheers.

DKIM doesn’t care about the RFC5321 sender. It signs based on the RFC5322 sender domain.

DMARC evaluates the RFC5322 sender domain based on the published policy.

Hello LinkP,
Thanks for your answer !

What about SPF authentication, it is based on RFC5321 or RFC5322 ?

SPF only considers the RFC5321 domain. For SPF to result in valid DMARC, requires alignment between the RFC5321 and RFC5322 domains.

Hi linkP,
Thank you for your answer.

To sum up :
SPF authentication is always on the domain declared in the RFC5321.FROM field
DKIM authentication is always on the domain declared in the RFC5322.FROM field
DMARC SPF: need alignment between RFC5321 and RFC5322 domains.

And what about DMARC DKIM alignment, need alignment between RFC5321 and RFC5322 domains ?

DKIM validation has no basis on the RFC5321 sender domain. The adkim flag refers to whether an exact FQDN match is required or if an organizational domain match is sufficient. Strict or relaxed alignment refers to the relationship between the signing domain found in the d= field of the DKIM header and the domain of the RFC5322 sender.

RFC7489 3.1.1 has an example.

1 Like

Ok, thank you for your answer LinkP !

Best regards,

In case a SPF <auth_results> display gmail.com, what does it means ?
In my context, gmail.com is not authorize to send email with “from” my domain, so it can’t be a “pass” here :

  <record>
    <row>
      <source_ip>259.12.20.xx</source_ip>
      <count>6</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>exemple.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>exemple.com</domain>
        <result>pass</result>
        <selector>mail</selector>
      </dkim>
      <spf>
        <domain>gmail.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

This would indicate an instance of email forwarded automatically by gmail.com.

Automatic email forwarding refers to the process of automatically redirecting incoming emails from one email address to another. This feature is commonly used when individuals want to consolidate their email accounts or manage multiple email addresses from a single inbox. It is by no means the only scenario however.

When an email is forwarded automatically, it essentially passes through multiple email systems. This can introduce challenges for DMARC authentication because the original SPF and DKIM information might not align with the forwarding server. As a result, the email’s authentication status can be affected, and DMARC alignment checks may fail.

This is most often represented in DMARC data by showing a passing DKIM signature aligned with your domain, but an unrelated RFC5321 domain. That domain is the forwarding domain, and you find it there due to SRS or Sender Rewriting Scheme.

SRS is the process whereby a forwarder rewrites the 5321 Mail From address to their own domain so that SPF may pass. Helpful when SPF was the only anti spoofing technology used, less so now with DMARC as it introduces an alignment failure.

Ultimately, you have no control over this kind of forwarding, but most often than not it is benign. It signifies you have sent a likely legitimate email to gmail.com, and the recipient has an automatic forward in place.

I hope this helps!

1 Like

Hi Asher,
Thank you for your reply !

Yes, this helps me a lot to understand what’s append !

You wrote “It is by no means the only scenario however
Which other scenario can make this to append ?

The reasons one might choose to forward an email address are too numerous to create an exhaustive list and have no relevance to DMARC as they are beyond the control of the sender.

oh, i mean which other scenario can make a DMARC report with an “auth_results” SPF with gmail.com (or other domain)