Receiving DMARC reports for emails I do not send

I am hosting the email for my domain (lets call it example.com) on google apps (free legacy edition). I recently enabled the DMARC reports so I now get a daily report for the emails sent from my domain.

My problem is that sometimes I get reports from google.com for emails sent from my domain having spf and dkim with a value of pass. This means the emails were actually sent and signed from my google apps account and is not someone pretending to be my account. However I cannot find these sent emails in any of the sent items folders of any of my accounts.

Checking IP logs from the google security pages does not indicate any suspicious IP activity.

Is there any way the google.com mailservers may be sending me DMARC reports for an email I did not send? Or do I have a virus that may somehow be sending information from the session on my browser and then deleting it from the sent items folder?

I should also mention that since I am not sending much email from this account these reports do not come every day and that when they do I can usually match the emails sent with the report. Today though I could not as I did not send any emails from gmail

Today's DMARC report follows with my domain changed to example.com. The report file name was google.com!example.com!1452384000!1452470399.xml. You will notice one record specifying email sent from amazonses.com. That email was legit and was actually sent by me. But the other record with source_ip of 2607:f8b0:4003:c06::248 was not sent by me.

Can anyone explain what I am seeing?

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>9818071788624937284</report_id>
    <date_range>
      <begin>1452384000</begin>
      <end>1452470399</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>example.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>54.240.6.222</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>eu-west-1.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2607:f8b0:4003:c06::248</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>example.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

The spf record is "v=spf1 include:_spf.google.com include:amazonses.com ~all" since I also send mail through amazonses.

The DMARC record is "v=DMARC1; p=none; pct=100; sp=none; rua=mailto:postmaster@example.com;"

Best Answer

I have finally figured out why I was seeing these DMARC reports about properly signed email sent from my domain.

As I mentioned in the question, my DMARC record was "v=DMARC1; p=none; pct=100; sp=none; rua=mailto:postmaster@example.com;"

By default, Google apps will not deliver emails sent to postmaster@example.com to any of your mailboxes. In order for me to receive these emails I had to create a group with the same name and add myself as a member of this group. This setup step is explained in this Google Apps Help Page.

Turns out however that the email forwarded by the group to my mailbox was counted as an email sent from my domain which meant that I also received a DMARC report for it. This created a feedback loop so I received a DMARC report every day because a DMARC report was forwarded the previous day.

Once I created a new account called dmarc@example.com to accept the DMARC emails and changed my DNS records to "v=DMARC1; p=none; pct=100; sp=none; rua=mailto:dmarc@example.com;" the problem went away.

Best Answer

Related Solutions

DMARC Rejection – How to Prevent Emails from My Domain Through Mailing Lists Being Rejected Due to DMARC

SPF and DKIM help: Do the FAIL reports from DMARC indicate an issue

Related Topic