I have both SPF and DKIM enabled on my domain. This domain is for a small company and we only have the one server (hMailServer if anyone thinks it's relevant).
Recently I decided to enabled DMARC reporting and noticed something very peculiar about the results. Some messages pass DKIM and are DKIM aligned (and thus pass DMARC), but come from an IP address I was not expecting (and are failing SPF). As I understand it emails from my server should only come from my static IP (which i have a SPF record for).
If they were attempted spammers trying to use my domain then they should not pass the DKIM. After a bit of researched I decided to try rotating my DKIM key but it is still happening.
How could this be happening and should I be concerned about it?
Best Answer
I work on the Postmark team and this is a question we get often. When DKIM passes and SPF fails like this it's usually because of message forwarding.
For example. Say someone from your domain sends to someone outside your domain, who then forwards their message to their Gmail account automatically. That message should pass DKIM, but not align with SPF because it originates from a source not in your policy.
Nothing out of the ordinary or to be too concerned about. More info here if you're interested.