DMARC Enforcing rejecting valid messages

It appears that messages that Pass DKIM check, and therefore pass DMARC, but fail SPF are not being properly.

I’ve done a number of tests sending emails from the Amazon SES service, that have valid DKIM signatures, and when sent directly to my email address it is properly delivered, however when going through an address that is routed via Cloudflare’s email routing I get nothing.

These messages will always fail SPF as they are sent from Amazon SES, not a private IP.

Messages can pass both DKIM and SPF checks, but without they’re passing DMARC.

In order for them to also pass the DMARC checks, they must have a proper alignment to the original domain (for DKIM, that would be the domain used in the From: header, also referred to as RFC5322.From).

Mind of I ask, - how exactly are you verifying the DKIM pass?


So I can see that DKIM is passing through looking at messages sent to another email address that does NOT go through Cloudflare Email Routing. The messages are sent directly, not via a list server or other relay. See example below: (domains removed to protect identity info)

Authentication-Results: spf=fail (sender IP is
 smtp.mailfrom=xx.xx.xx; dkim=pass (signature was verified)
 header.d=xx.xx.xx;dmarc=pass action=none
 header.from=xx.xx.xx;compauth=pass reason=100
Received-SPF: Fail ( domain of xx.xx.xx does
 not designate as permitted sender); client-ip=;;

In order for DMARC to pass, the DKIM signature must verify (which it is in this case) but also the email’s From address needs to be in the same domain as the signature (alignment). Your example headers show DKIM signature passing but say nothing about alignment of the From domain.

In that case, Microsoft’s “compauth” thingy passed–that’s a thing Microsoft uses when they don’t have enough information for standard authentication. So it’s possible that Microsoft in particular is using their proprietary algorithm to decide your email is okay even though DMARC alignment isn’t passing.

Basically: is the email’s From address in the same domain as the DKIM signature?

1 Like

Yes, it does match (not hiding the domain below)

Authentication-Results: spf=fail (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none;compauth=pass reason=100
Received-SPF: Fail ( domain of does
 not designate as permitted sender); client-ip=;;
Received: from ( by ( with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.6863.28 via Frontend Transport; Thu, 5 Oct 2023 19:13:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=s1jplid;; t=1696533209;
From: [email protected]

So you can see:

dkim=pass (signature was verified)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=s1jplid;
From: [email protected]

Yeah, that looks okay to me, in terms of DMARC. Maybe Cloudflare is rejecting solely on SPF? That’s not ideal.