DMARC failed, but SPF pass
Solution 1
The reason for the DMARC fail on SPF policy (<policy_evaluated><spf>fail
) despite the SPF check passing (<auth_results><spf><result>pass
) is that your SMTP "mailFrom" (envelope MAIL From or RFC 5321.MailFrom) & your header "From" fields are out of alignment. I can't be sure from the extract you posted, but it's the likely answer.
e.g. if your mail system sets the envelope MAIL From
to <[email protected]>
, but your header From
says the reply address is <[email protected]>
the domains are out of alignment & the DMARC evaluation of SPF will fail, even though you have included mail.provider.tld
in your SPF record.
These articles may help:
- https://stackoverflow.com/questions/33288490/dmarc-spf-dkim-not-authenticating-with-third-party-mail
- https://blogs.msdn.microsoft.com/tzink/2013/04/27/how-to-setup-dmarc-records-if-you-are-outsourcing-some-or-all-of-your-email-part-1 & https://blogs.msdn.microsoft.com/tzink/2013/04/27/how-to-setup-your-dmarc-records-if-you-are-outsourcing-some-or-all-of-your-email-part-2
As Henry said, you only require one of the two tests (SPF or DKIM) to be in alignment for DMARC to pass.
Solution 2
I don't know much about that testing location, I use [email protected]
as my main go to email tester. That aside, DMARC can fail, if your SPF is not aligned this is called the ASPF test. DMARC requires SPF, DKIM or Both. Since you have SPF working, the only thing that comes to mind will be that possibly your ASPF Test is failing, or the tester has a possible bug. I did test my email with that test and it did indicate that I passed DMARC.
Related videos on Youtube
Comments
-
griotteau almost 2 years
If i sent a mail from my website (on a private server) to [email protected], i have this report :
<record> <row> <source_ip>x.x.x.x</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>mydomain.com</header_from> </identifiers> <auth_results> <spf> <domain>mydomain.com</domain> <result>pass</result> </spf> <dkim> <domain>mydomain.com</domain> <result>pass</result> </dkim> </auth_results> </record>
The identifiers/header_from AND auth_results/spf/domain is both mydomain.com, my sender (and return path) is [email protected]
The SPF test alone is ok, but the dmarc (policy_evaluated/spf) fail, i don't understand why ...
My DNS record (SPF/DMARC):
"v=spf1 a mx include:mx.ovh.com -all" "v=DMARC1\; p=reject\; sp=none\; rua=mailto:[email protected]\; rf=afrf\; pct=100\; ri=86400"
-
comfreak about 7 yearsDoes the alignment test also fail, if the domain is the same but the local-part is different?
-
comfreak about 7 yearsDoes the alignment test also fail, if the domain is the same but the local-part is different?
-
Henry about 7 yearsThis article explains what you are looking for: unlocktheinbox.com/emailidentifieralignments
-
Dean Ransevycz about 7 yearsThe link provided by @henry is a good explanation of identifier alignment. In summary: your DMARC policies
adkim
(DKIM alignment) &aspf
(SPF alignment) dictate whether these should be FQDN matches (strict mode), or just domain matches (relaxed mode). Relaxed mode is the default for both. (e.g. a sending host of mailer.domain.tld with a DKIM or SPF domain of domain.tld would pass relaxed alignment, but fail strict alignment.) -
comfreak about 7 yearsI checked the link and it seems like the local-part is not relevant but I still get DMARC failure reports despite having relaxed mode published and a strict mode setup. So it should work perfectly. The only thing that is not matching is the envelope-from and the from header in some emails. That's why I asked, if that might be the reason for the failure reports.
-
Dean Ransevycz about 7 yearsI'd need to see your published records & the examples from your reports to comment further.