Question about SPF failure in DMARC report

Hi! I’m new here and I’m VERY happy to have found this forum! Every now and then, I have questions about the DMARC reports I receive and hopefully, this is the right place to ask them. :slight_smile:

With that being stated, I received a truly bizarre SPF failure in a DMARC report. Here is a “sanitized” snipet of the DMARC report, which contains the SPF failure:

  <record>
   <row>
     <source_ip>aaa.bbb.ccc.ddd</source_ip>
     <count>1</count>
     <policy_evaluated>
       <disposition>none</disposition>
       <dkim>pass</dkim>
       <spf>fail</spf>
     </policy_evaluated>
   </row>
   <identifiers>
     <header_from>mydomain.com</header_from>
   </identifiers>
   <auth_results>
     <spf>
       <domain>someotherdomain.com</domain>
       <result>neutral</result>
     </spf>
     <dkim>
       <domain>mydomain.com</domain>
       <result>pass</result>
     </dkim>
   </auth_results>
  </record>

IP address ‘aaa.bbb.ccc.ddd’ above is NOT associated with my domain at all, which is why I’m perplexed. I interpret the above failure to mean “A mail server at IP address aaa.bbb.ccc.ddd tried to send email from ‘mydomain.com’, which it isn’t permitted to do because the SPF record doesn’t allow IP address ‘aaa.bbb.ccc.ddd’ to send email on behalf of ‘mydomain.com’.”

Is that a correct interpretation?

Thanks in advance for your assistance!

Hi Tomdkat,

welcome to the forums!

Your interpretation is correct. The email was sent by a server where the From header was your domain, but the RFC 5321 Mail From (most commonly known as the retun-path) was a different domain. This kind of report is typical of forwarded mail, especially if DKIM passed, and was your domain.

Forwarding in this case would be automated forwarding, like with a mailbox rule, or whole mailbox forward. In those instances, headers are maintained (such as the From and DKIM header) but the return-path will typically be rewritten through a process called Sender Rewriting Scheme. This is just an example however and may no apply here, but since this IP is not recognized, the fact DKIM passes means it had to have been sent from an authorized source originally.

I hope this helps!

Great! Thanks for the reply and for the explanation! I believe you’re right about messages being forwarded. I think that’s what’s going on even though that had not occurred to me before.

Thanks again!

1 Like