I have been monitoring my domain for the past week, and saw in the Threat/Unknown tab an email from a weird server in Iran
At first I thought that it was someone trying to usurp my domain name, but when I inspected it, I saw that the SPF test passed.
It does mean that this server is in the IP range of authorized IPs in my SPF record, but as I use outlook servers for my domain, my SPF record only have 3 of my mail servers IPs, the spf.protection.outlook.com and the spf.sendinblue.com.
However, I can not find the IP of the server in my SPF list, how did it passed the test ?
SPF evaluates the domain in the RFC 5321 mail-from, also known as the return-path. You can see in the image you shared that the mail-from domain is yp1.aznavrchol.cz. That means the SPF record for yp1.aznavrchol.cz is what ill be evaluated, not your domain.
Looking up the TXT RR for yp1.aznavrchol.cz shows us that is is a CNAME for aznavrchol.cz which in turn has an SPF record of "“v=spf1 +all” meaning it will pass SPF for any IP.
Since the RFC 5321 mail-from domain did not match the RFC 5322 Header From domain, SPF cannot be used to pass DMARC. This is because alignment is required to pass DMARC using SPF. With strict alignment, and exact match is required. With relaxed alignment, a subdomain is also considered a match.
