Is GMAIL incorrectly failing SPF

dmarcemailgooglespf

0365 mail users are encouraged to use include:spf.protection.outlook.com -all in their SPF record.

I have followed this guidance. My company's spf record says:
v=spf1 include:spf.protection.outlook.com -all

the spf.protection.outlook.com record ends with include:spfa.protection.outlook.com -all
which ends with include:spfb.protection.outlook.com

Each of those includes has a set of CIDRs for IPs used by outlook.com when sending email.

However, I am getting DMARC reports from google.com indicating an SPF FAIL for an IP that is actually covered by one of the includes in the SPF record. I think this is incorrect, yet is happening frequently.

Here is an example:

    source_ip>104.47.117.233</source_ip>

<count>1</count>


-<policy_evaluated>

<disposition>none</disposition>

<dkim>pass</dkim>

<spf>fail</spf>

the rejected ip is part of ip4:104.47.0.0/17 which is part of the spfb.protection.outlook record:

spfb.protection.outlook.com. 394 IN TXT "v=spf1 ip6:2a01:111:f400::/48 ip4:23.103.128.0/19 ip4:23.103.198.0/23 ip4:65.55.88.0/24 ip4:104.47.0.0/17 ip4:23.103.200.0/21 ip4:23.103.208.0/21 ip4:23.103.191.0/24 ip4:216.32.180.0/23 ip4:94.245.120.64/26 -all"

So, why is Google's email server treating this as an SPF fail?

This is not an isolated example – I receive frequent SPF fail notifications with respect to IPs included in the SPF record.

Best Answer

I have figured it out. Not surprisingly, it was me misinterpreting the report, not Google getting their DMARC implementation wrong :)

The SPF result in the policy evaluated section that I was being confused by (copy posted in OP) is the DMARC evaluated SPF result after considering alignment.

This quote here explains the issue:

Please note that the SPF and DKIM results in the auth_results are raw results, regardless of Identifier Alignment; he results of the DMARC evaluation with Identifier Alignment are in the policy_evaluated section.

I checked the rest of the record and found that the raw results for the same record were, correctly, SPF pass.

So, what the DMARC report was telling me was that, while the SPF result was indeed from outlook.com (and hence was a raw 'pass') the return path header did not match my sending domain, which produces a DMARC evaluation SPF fail. Another reference here.

Basically, do not attempt to read the XML reports directly - they are hard for humans! I found this DMARC xml parser which does a fabulous job of allowing you to clearly see what the DMARC report is trying to tell you.

Related Topic