It appears that messages that Pass DKIM check, and therefore pass DMARC, but fail SPF are not being properly.
I’ve done a number of tests sending emails from the Amazon SES service, that have valid DKIM signatures, and when sent directly to my email address it is properly delivered, however when going through an address that is routed via Cloudflare’s email routing I get nothing.
These messages will always fail SPF as they are sent from Amazon SES, not a private IP.
Messages can pass both DKIM and SPF checks, but without they’re passing DMARC.
In order for them to also pass the DMARC checks, they must have a proper alignment to the original domain (for DKIM, that would be the domain used in the From: header, also referred to as RFC5322.From).
Mind of I ask, - how exactly are you verifying the DKIM pass?
So I can see that DKIM is passing through looking at messages sent to another email address that does NOT go through Cloudflare Email Routing. The messages are sent directly, not via a list server or other relay. See example below: (domains removed to protect identity info)
Authentication-Results: spf=fail (sender IP is 54.240.27.38)
smtp.mailfrom=xx.xx.xx; dkim=pass (signature was verified)
header.d=xx.xx.xx;dmarc=pass action=none
header.from=xx.xx.xx;compauth=pass reason=100
Received-SPF: Fail (protection.outlook.com: domain of xx.xx.xx does
not designate 54.240.27.38 as permitted sender)
receiver=protection.outlook.com; client-ip=54.240.27.38;
helo=a27-38.smtp-out.us-west-2.amazonses.com;
In order for DMARC to pass, the DKIM signature must verify (which it is in this case) but also the email’s From address needs to be in the same domain as the signature (alignment). Your example headers show DKIM signature passing but say nothing about alignment of the From domain.
In that case, Microsoft’s “compauth” thingy passed–that’s a thing Microsoft uses when they don’t have enough information for standard authentication. So it’s possible that Microsoft in particular is using their proprietary algorithm to decide your email is okay even though DMARC alignment isn’t passing.
Basically: is the email’s From address in the same domain as the DKIM signature?
Yes, it does match (not hiding the domain below)
Authentication-Results: spf=fail (sender IP is 54.240.27.38)
smtp.mailfrom=idmail.jpl.nasa.gov; dkim=pass (signature was verified)
header.d=jpl.nasa.gov;dmarc=pass action=none
header.from=jpl.nasa.gov;compauth=pass reason=100
Received-SPF: Fail (protection.outlook.com: domain of idmail.jpl.nasa.gov does
not designate 54.240.27.38 as permitted sender)
receiver=protection.outlook.com; client-ip=54.240.27.38;
helo=a27-38.smtp-out.us-west-2.amazonses.com;
Received: from a27-38.smtp-out.us-west-2.amazonses.com (54.240.27.38) by
VI1EUR04FT005.mail.protection.outlook.com (10.152.28.65) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6863.28 via Frontend Transport; Thu, 5 Oct 2023 19:13:30 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:71B6A211E39906E48EF6E85FD67C38918C7E5BEE648090DCA8034124EA1B229D;UpperCasedChecksum:E59AD22EAD710E50E0D726FFFA02542D1ADCEEAE591E695C5D7FEB52BEA8E41E;SizeAsReceived:1610;Count:12
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=s1jplid;
d=jpl.nasa.gov; t=1696533209;
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date;
bh=yiO5lLOEA7SacnUrrPvJYmZGLDdI3rjSx9/t+BT/EL8=;
b=RrJI4cWGAYYa1Yw1KYxUbI5UQU1JLki3ro6cLwNOHG75JkzH5xtyQY5rwyg79Cg0
YWNAYxtpLBeIvmCcZmbwG8e/ZtPn8j2ztQjyXq0am8TWzFJs5ML6pn255Wh+zcxUqzT
bIu7KySSPimYgZDnSyybOROXpDnpqW3iYR6v9j5jjhku/Yd0qAxJinwCiBpgaVBsLxf
AMj2nqbgX8tMn13sfTR0hrz9yeA77Cp43IvfibwcfshP5EymJeHRGU6U4OnVySmucIO
l8QKvfjnlYRiO5bdXJkzBVt8rCbMgB2OF61yxAjOTOeGvdZ2OHykP3YqacVRe396mn5
5OUuD6mtnw==
From: [email protected]
So you can see:
dkim=pass (signature was verified)
header.d=jpl.nasa.gov
and
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=s1jplid;
d=jpl.nasa.gov
and
From: [email protected]
Yeah, that looks okay to me, in terms of DMARC. Maybe Cloudflare is rejecting solely on SPF? That’s not ideal.