My DMARC settings seems to not work as expected.
First, a few things to note:
- The domain is
mydomain.com(not the real one obviously) ; - The domain and mail provider is
gandi.net; - I use Amazon SES to send emails from a website using
[email protected]; - I use Gmail to send and receive emails for
[email protected];
The SPF record is set as TXT on mydomain.com:
"v=spf1 include:_mailcust.gandi.net include:amazonses.com include:_spf.google.com ~all"
include:_mailcust.gandi.netallows gandi.net to send emails usingmydomain.com;include:amazonses.comallows amazonses.com to send emails usingmydomain.com;include:google.comallows google.com to send emails usingmydomain.com;~allallows any other servers to send emails usingmydomain.combut will result in an SPF check FAIL (softfail)
The DMARC record is set as TXT on _dmarc.mydomain.com:
"v=DMARC1; p=quarantine; sp=reject; pct=5; fo=1; rua=mailto:[email protected];"
p=quarantinedelivers emails that failed a SPF/DKIM check and mark them as spam ;sp=rejectrejects emails sent using an address with a subdomain like[email protected];pct=5applies the policy (pand notsp?) to 5% of emails ;fo=1sends reports for DKIM failure OR SPF failure ;
Now the weird things, in this DMARC RUA report:
<record>
<row>
<source_ip>40.107.12.85</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>GovSIPF.onmicrosoft.com</domain>
<result>pass</result>
<selector>selector1-GovSIPF-onmicrosoft-com</selector>
</dkim>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
<selector>gm1</selector>
</dkim>
<spf>
<domain>administration.gov.pf</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
- The source IP
40.107.12.85is fromoutlook.combut I don't use outlook ; - There is a DKIM block with the domain
GovSIPF.onmicrosoft.com, GovSIPF is one of my customer ; - There is an SPF block with the domain
administration.gov.pfwhich is the domain they use for their email addresses like[email protected];
I don't understand why I see a SPF block with the domain administration.gov.pf, does it mean that they sent an email with an address like [email protected] through outlook.com servers ?
Another DMARC report a little different:
<record>
<row>
<source_ip>202.90.68.50</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
<selector>gm1</selector>
</dkim>
<spf>
<domain>mydomain.com</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
- The source IP
202.90.68.50is frommana.pf, a local ISP but we don't use it ;
Best Answer
The
<source_ip>value is the IP where the original email came from.It does not necessarily need to be a server you use.
DKIM check passed. This is a strong indication that the email was sent using Outlook.
Notice that there is a second DKIM pass auth block for mydomain.com too.
SPF checks passed too. This means that the Outlook IP in
<source_ip>is authorized to send emails *@administration.gov.pf.Yes.
And since you don't use Outlook, this most likely was a forwarded email send from one of your servers. DMARC checks pass for the email because the DKIM authentication result for mydomain.com pass (the result is “in alignment”).