Hi! I’m new here and I’m VERY happy to have found this forum! Every now and then, I have questions about the DMARC reports I receive and hopefully, this is the right place to ask them.
With that being stated, I received a truly bizarre SPF failure in a DMARC report. Here is a “sanitized” snipet of the DMARC report, which contains the SPF failure:
<record>
<row>
<source_ip>aaa.bbb.ccc.ddd</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>someotherdomain.com</domain>
<result>neutral</result>
</spf>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
</auth_results>
</record>
IP address ‘aaa.bbb.ccc.ddd’ above is NOT associated with my domain at all, which is why I’m perplexed. I interpret the above failure to mean “A mail server at IP address aaa.bbb.ccc.ddd tried to send email from ‘mydomain.com’, which it isn’t permitted to do because the SPF record doesn’t allow IP address ‘aaa.bbb.ccc.ddd’ to send email on behalf of ‘mydomain.com’.”
Is that a correct interpretation?
Thanks in advance for your assistance!