It appears that messages that Pass DKIM check, and therefore pass DMARC, but fail SPF are not being properly.
I’ve done a number of tests sending emails from the Amazon SES service, that have valid DKIM signatures, and when sent directly to my email address it is properly delivered, however when going through an address that is routed via Cloudflare’s email routing I get nothing.
These messages will always fail SPF as they are sent from Amazon SES, not a private IP.
Messages can pass both DKIM and SPF checks, but without they’re passing DMARC.
In order for them to also pass the DMARC checks, they must have a proper alignment to the original domain (for DKIM, that would be the domain used in the From: header, also referred to as RFC5322.From).
Mind of I ask, - how exactly are you verifying the DKIM pass?
So I can see that DKIM is passing through looking at messages sent to another email address that does NOT go through Cloudflare Email Routing. The messages are sent directly, not via a list server or other relay. See example below: (domains removed to protect identity info)
Authentication-Results: spf=fail (sender IP is 188.8.131.52)
smtp.mailfrom=xx.xx.xx; dkim=pass (signature was verified)
Received-SPF: Fail (protection.outlook.com: domain of xx.xx.xx does
not designate 184.108.40.206 as permitted sender)
In order for DMARC to pass, the DKIM signature must verify (which it is in this case) but also the email’s From address needs to be in the same domain as the signature (alignment). Your example headers show DKIM signature passing but say nothing about alignment of the From domain.
In that case, Microsoft’s “compauth” thingy passed–that’s a thing Microsoft uses when they don’t have enough information for standard authentication. So it’s possible that Microsoft in particular is using their proprietary algorithm to decide your email is okay even though DMARC alignment isn’t passing.
Basically: is the email’s From address in the same domain as the DKIM signature?