DMARC Report confusing - how can SPF and DKIM be aligned, but still fail DMARC?

Feedback Previews & Betas
1

Feedback

Subject says most of it.
I have a domain configured with a DMARC record with p=none (reporting-only), for now.
The reports for a particular IP address coming in to Cloudflare are showing a “Pass” under both the “SPF aligned” and “DKIM aligned” column, but there are still a small percentage of DMARC Failures (maybe 10% of the messages received from the listed IP - the DMARC Pass column says 1.02k, and DMARC Fail is 105 messages). The envelope domain matches the from domain.

How is it possible for an IP address to Pass both SPF and DKIM, but still fail DMARC?

2

I’m not sure about the specifics of the Cloudflare DMARC Management dashboard, but generally speaking, an SPF Alignment PASS is not the same as an SPF PASS.

For DMARC to PASS, you need both an SPF PASS and SPF Alignment (or the same with DKIM).

In your case, if the message passed the alignment, it might be that it did not pass SPF itself.

I generally recommend testing the setup with https://www.mail-tester.com for any obvious problems.

2 Likes
3

Can you share a screenshot of any of this, to give more clarity to the situation at hand?

Messages that are having valid DKIM or SPF, but with the authentication being on different domain names, they won’t pass in the DMARC world.

An example, specific to DKIM, was made over here:

The same goes on for SPF, and it’s alignment, between the domain in the From: header, and the domain of the email address used in the SMTP MAIL FROM (also commonly referred to, as RFC5321.MailFrom / Envelope From / Return-Path).

Without seeing the actual DMARC reports, - I will say it sounds like the alignment somehow isn’t (perfectly) fine, if it fails DMARC.

I’m wondering, … are you only steering your DMARC reports towards Cloudflare?

Or are you also saving them yourself, by steering them towards a mailbox of your own, too?

3 Likes
4

FWIW, I’m generally familiar with how SPF and DKIM are supposed to work.

Can you share a screenshot of any of this, to give more clarity to the situation at hand?

Everything blocked by a red rectangle is [mydomain].org, just for privacy.

cloudflare-dmarc-report
cloudflare-dmarc-report2370×194 29 KB

This is one of the rows in our reporting table from Cloudflare, and the only one that stood out as having a “DMARC Fail” count while also showing green on both alignment columns.

I tried to add a second image but my account is apparently too “new” on Discourse so I was denied… Going to reply with that in another message.

The mail is being hosted by Google (Workspace) here, and that is one of their IPs, AFAIK.
I have the appropriate include: for their SPF record, within our own. We have a DKIM selector defined and it matches what is set in GWorkspace. I’m confused by why the screenshot is showing that SPF and DKIM are both aligned, but 105 messages are flagging “DMARC Fail.”

I’m wondering, … are you only steering your DMARC reports towards Cloudflare?
Or are you also saving them yourself, by steering them towards a mailbox of your own, too?

The “rua” is going to both cloudflare and a mailbox on our own Workspace instance. The “ruf” is going only to a mailbox on our Workspace instance (AFAIK Cloudflare doesn’t want the detailed failure reports sent to them, as the service only puts a cloudflare address in the “rua” value?) I actually don’t have access to that mailbox (long story), but could potentially add another mailto on the “rua” entry…

5

A larger view of the same table (newer screenshot), showing the same top row plus a bunch more. I don’t know what the deal is with all of the “calendar-server.bounces.google.com” envelope messages, but at least I can understand why those are failing SPF

cloudflare-dmarc-report-more
cloudflare-dmarc-report-more1920×1676 153 KB

6

mail-tester dot com gave me a 10/10 score. I’m not seeing any obvious deliverability problems… I’m just scratching my head about the top row in the table in my other screenshot(s) (see other replies in this thread).

7

Might be the same issue as here:
https://www.reddit.com/r/DMARC/comments/1cpe5dy/strange_dmarc_report_from_google_claiming_sends/

In that threat, the problem was that

1 Like
8

Seeing your screenshot, the way I’m interpreting that, will be like this:

One single IP address (e.g. 209.85.220.69) will only show up once, - even if there are multiple distinct results from that specific IP address.

So, instead of seeing what some people may be questioning as potential duplicates, e.g. like this:

Source IP DMARC Pass DMARC Fail SPF Aligned DKIM aligned
209.85.220.69 1020 0 Pass Pass
209.85.220.69 0 105 Fail Fail

Then you will, as indicated in your screenshot, only see 209.85.220.69 once, e.g.:

Source IP DMARC Pass DMARC Fail SPF Aligned DKIM aligned
209.85.220.69 1020 105 Pass Pass

I’m wondering if the precedence of the alignment statuses would be based on the higher result (e.g. the 1020’ish passing would win over the 105 that are failing), or if it simply takes precedence with the Pass over Fail, regardless of count.

In other words, if the numbers were the reverse, I wonder if the Fail would have taken precedence, e.g. like this:

Source IP DMARC Pass DMARC Fail SPF Aligned DKIM aligned
209.85.220.69 105 1020 Fail Fail

I do however see your confusion, as it doesn’t seem to give much clarity on the 105 messages that appears to have failed DMARC, … from that specific IP address.

1 Like
9

I’m personally using a regular email address, with a Google account tied to it, for my Google Calender, and I suppose that some of these things, may be because Google Workspace is doing certain things slightly different, when it has (full) access to the domain of Google Calendar invites and notifications.

But most messages that I find easily, with an envelope address on the mentioned host name “calendar-server.bounces.google.com”, they all seem to originate from:

From: Google Calendar <[email protected]>

or

From: "John Doe (Google Calendar)" <[email protected]>

Meaning that @google.com should be the recipient of the DMARC reports.

However, when dealing with free Gmail addresses (@gmail.com) though, what I see, is matching header From: and SMTP MAIL FROM, like this:

Return-Path: <[email protected]>
Sender: Google Kalender <[email protected]>
From: John Doe <[email protected]>

For my regular email address, with a Google account tied to it, I can add that I once received a DMARC report, and was having the kind of moment like “who on earth is impersonating me now, ... I didn't send anything”.

The time frame for the DMARC report was consistent to a Google Calendar invite that I sent.

And it also turned out, that it was a Google mail server, but that one did in fact “spoof” both my header From:, so I received the DMARC report, but also the SMTP MAIL FROM.

The DMARC report was from from Microsoft Outlook.

So although I would say Google Calendar is related, when seeing that exact SMTP MAIL FROM, … it still doesn’t seem like we can count on (much) consistency from Google here.

It looks like depending on the situation at hand, such as e.g. Google Workspace, free Gmail, regular email account w/Google Account, … and so on, that things may change (slightly).