Forwarded fedex emails sent to spam. spf and dkim passed, dmarc failed

recently i had some legit fedex emails sent to my custom email and forwarded by Cloudflare email routing to my gmail. all ended in the spam folder with various red or orange warnings about spam or phishing.

on closer inspection (show original), all these emails had passed spf and dkim but not dmarc.

spf was Cloudflare’s ip which is expected.

dkim was Cloudflare’s domain email.cloudflare.net.

hard to believe that fedex messages wouldn’t have dkim headers to begin with, but does Cloudflare add its own dkim, if dkim is missing from the message headers? if so, should it?

and still wonder how both spf and dkim had passed, but dmarc had failed, possibly causing the messages to be labeled as spam.

DMARC evaluates SPF and DKIM in relation to the domain in the RFC 5322 from field, aka the message body from. It is possible to pass raw SPF and raw DKIM and fail DMARC.

What domain is present in From address displayed in your Gmail?

in case anyone interested, here’s the full header. some pid masked with *:

> Delivered-To: r********[email protected]
> Received: by 2002:a05:7011:383:b0:2d6:c215:650d with SMTP id hm3csp1750120mdb;
>         Tue, 7 Jun 2022 11:28:54 -0700 (PDT)
> X-Google-Smtp-Source: ABdhPJwRS5kotgDDOSciHZaN1WFpBSw4uDLSfa7rjAnz/iPh6s5lMewxsEIiAzr7VitRoAp0Z43X
> X-Received: by 2002:a37:9a06:0:b0:6a6:839f:c34d with SMTP id c6-20020a379a06000000b006a6839fc34dmr18594923qke.154.1654626534606;
>         Tue, 07 Jun 2022 11:28:54 -0700 (PDT)
> ARC-Seal: i=1; a=rsa-sha256; t=1654626534; cv=none;
>         d=google.com; s=arc-20160816;
>         b=pPB1kwOiz+wnJ1uBPPI3HE6yiC+IaAxXGrsqlrK2+192fbrYDsmymhqgyvbYzs+3Fe
>          yoivzKjWIBNKstcl4rL2rQjWadCYpkRLxMnDTpZgHgReL/RJqVPtMXLBpBXxHy5Pa9ws
>          noxyEbOtOWvlO74AfMCRjYUWmHmT0eQKQq9N942LjPAH7bdEy2jFM8uZYEPwWKIwHTng
>          EeCUMYMCKajZwHr4DJEfvPuNlSBhSutZ1XTXrt0otN8PA68H1p6fezHR6gfSHf/4NbtD
>          mTd6D3NioDcrvR8vx9SvaK+7lA3nWBhcmVJpdDXCgBZ50flYaw2hd5LsAPhcOx0RRlOW
>          nBdg==
> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
>         h=mime-version:subject:message-id:to:reply-to:from:date
>          :dkim-signature:dkim-signature;
>         bh=qzS6zufXLn08toNFAubIj/eOlogEr77RiyDQesgzsc4=;
>         b=BD/EkEBXmDyOcsyeFbu9By6+2Il4EpgwDQx8sDdsh4izreKUELryVWJf5hY0P3PQrj
>          gCt3knvAqZH7OlNSws9jx4/dMjz8FJnMU+h2I5qY0uI6+UahiZmaHxTbcjmimbpuAoVg
>          4Z39I4aoGqAy1kpdi5P8RdJyf01XYgDIRKf0b/7tt7hbW9mZMNdetKKjVtEovX/t38TL
>          IngDRJjIU3Ryluq82u8uxIG1GCg8ZOsyoKaVqPIIGqjtfVbBNar+lxJXjuVrrGqo/hB2
>          uBwDg/rs/Cq8SpOaLvHQjgwq9XFx2+r+V3KaCSRxPigiE2Y0TFI4pwUrYdqJJvaY+P1I
>          zSog==
> ARC-Authentication-Results: i=1; mx.google.com;
>        dkim=pass [email protected] header.s=2022 header.b=d8qr2DPj;
>        dkim=neutral (body hash did not verify) [email protected] header.s=smtp-out header.b=XIPbPjiw;
>        spf=pass (google.com: domain of [email protected]********n.com designates 104.30.4.4 as permitted sender) [email protected]********n.com;
>        dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=fedex.com
> Return-Path: <[email protected]********n.com>
> Received: from e-e.email.cloudflare.net (e-e.email.cloudflare.net. [104.30.4.4])
>         by mx.google.com with ESMTPS id i21-20020a05620a249500b006a66f3d3dd7si10118335qkn.432.2022.06.07.11.28.54
>         for <r********[email protected]>
>         (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
>         Tue, 07 Jun 2022 11:28:54 -0700 (PDT)
> Received-SPF: pass (google.com: domain of [email protected]********n.com designates 104.30.4.4 as permitted sender) client-ip=104.30.4.4;
> Authentication-Results: mx.google.com;
>        dkim=pass [email protected] header.s=2022 header.b=d8qr2DPj;
>        dkim=neutral (body hash did not verify) [email protected] header.s=smtp-out header.b=XIPbPjiw;
>        spf=pass (google.com: domain of [email protected]********n.com designates 104.30.4.4 as permitted sender) [email protected]********n.com;
>        dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=fedex.com
> Received: from mta.message.fedex.com (136.147.178.149)
>         by email.cloudflare.net (unknown) id 2WoSYJ7ujkqk
>         for <r*****@********n.com>; Tue, 07 Jun 2022 18:28:53 +0000
> Received-SPF: pass (mx.cloudflare.net: domain of [email protected]dex.com designates 136.147.178.149 as permitted sender)
>    helo="mta.message.fedex.com"; envelope-from="[email protected]dex.com";
> Authentication-Results: mx.cloudflare.net; spf=pass; dkim=fail (body hash did not verify); dmarc=pass;
> DKIM-Signature: v=1; a=rsa-sha256; d=email.cloudflare.net; s=2022; c=relaxed/relaxed; bh=qzS6zufXLn08toNFAubIj/eOlogEr77RiyDQesgzsc4=; h=from:reply-to:subject:date:to; t=1654626534; b=d8qr2DPjePyttbGK/drNXiOjkExsOvseNyTIcJbH43KSxkdcsk6U5MTimHOI0dBhu4Ne00kPEPJH8sHu0b5MIBkqLbzRno9+WOZNBhfKBIsn63+T7z+cZ6h0eZQsdPtl+2yVpSbq1Zzxle3hpOfwDadA4Qjx+mLEVxvHIp9/Dj+L9CPl/OFBGpZ4nAx8PyjvDS7GGeKfPS/+R+m5Nb6HwlYFOb+qnsAk32Nz+Hjqu6VFnV+C5qkABJxnYfGwNxZQltDSAstEtBoU3UagBxrWeAcMSeuQlC5dN1/o/E6SkIG1RMAMHXlp9uVO5Vias8GPtTAknlphtKxv6YuHGMWoqg==;
> Received: by mta.message.fedex.com id hjucec2fmd40 for <r*****@********n.com>; Tue, 7 Jun 2022 18:28:53 +0000 (envelope-from <[email protected]dex.com>)
> X-Virus-Scanned: amavisd-new at orionsmtp-136.s7.exacttarget.com
> Authentication-Results: orionsmtp-136.s7.exacttarget.com (amavisd-new); dkim=pass (2048-bit key) header.d=fedex.com
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fedex.com; h=date : from : reply-to : to : message-id : subject : mime-version : content-type; s=smtp-out; bh=MNoc47QenLmNElyj9obd0XE3Je0Kw2o4zEJkU9/UX9Y=; b=XIPbPjiwLfyCoWd7Dl0vvw+IdJOZMJvM45lK+Mjz4cH256F4BOIg4BZtsIuLW/xnOVuV TvlijnxOfcpNQ/MD6mMMc7i/6kkCVdd9m5y8LYJ0gjo5PwwAcADNaYBsr45Rcxt4lbwd mzjVQoKtaPpc6f6XQO18LxFule2ub3ziH5N4lLClYUzDrtQUTBSuONTb+BGrtpqdwz/Z kKp9KY5H1/hB27h33KyrQLT21v8ZY5zw4MAgo0+dYfXRg4I0Foc6SODzcGtxeySz8jrc ce1CwPPOFWhf1Dyv7d7G6vFXnwu3kB5lbT9u4G2EBQO38CwlRapPq3yOyLrX1jGc2qxE lQ==
> Date: Tue, 07 Jun 2022 12:28:53 -0600
> From: FedEx Delivery Manager <[email protected]>
> Reply-To: [email protected]
> To: r*****@********n.com
> Message-ID: <[email protected]>
> Subject: FedEx Shipment 9116********: Your package has been delivered
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary="----=_Part_32898_2092533202.1654626493582"
> X-FX-NDS-2-SF: erFoc+0hC64=
> X-FX-NDS-ID: Bg5Ll9VUztpOoSmFoLGwbN088cgAvBOhxjGXuEYUJMjQemQ1QcXj4A==
> X-FX-NDS-MSG-POS: t3PMvj8ykslkGim8WXulpOv5sWAYVehoKxhq//IGqrsGSAcf/tayIaZtRJKBSaaQ0HpkNUHF4+A=
> X-FX-NDS-MSG-ID: Krkw9BA3OjLzNQsx+2t7jMMsYRxyEQu3/9TrGnlgu4eAv3mkRFWJsQ==
> X-FX-NDS-ORIGIN: XWeebQJlH3Q=
> X-FX-NDS-ORIGIN-GENESIS: +h325+JKbu0=
> X-FX-NDS-RG-LG-ENV: UzL99LvXCAM=
> X-FX-NDS-LEVEL-ENV: R+mLbZi/7ko=
> X-FX-NDS-CLIENT-ID-ENCRYPT: +d3No9Nw3JsKam1V0IPRcqiiJe1ysMOjg+1QmraIN5iLUegk5hRjtNIeZvqnOQKCo5JstleNjry/CRLF_NEWLINEufHDhKa5YaMXk617TYRD+B9uk2VwXDmsqzEIe/DkjC+TWLs9OATSX9CRqs6tO+Y0ebVyHxeb3KiFCRLF_NEWLINER2r66RZyJc055b5Zv9tUd/kr50yq46OnMe7Wx9mRQTUueSNPSxAhJ9Cepj/BtlQVAy7GtN1auYLBCRLF_NEWLINEU3gUw26Hv6oGqBvK3UnJKta1yv0PzfoNJl+d1/r7INucB1gYupSP9KczHD8nH4BFncQNfWCD7VCaCRLF_NEWLINEtog3mItR6CTmFGO00h5m+qc5AoL6HCxL7cDsrdBeJSOHttypHsbrxjdQYv7P068fPKF6I/oJ/7ptCRLF_NEWLINE6pdOBZgFNeg3cWDWudA6xfq8HbSNLLvutVtP6+mYrULp2aSArwimIC+XJme0KlaQFKOvBzpaT7rKCRLF_NEWLINEoOICGILGv8fW+Uu4sGSIMFBVckBiS+Jx0BGZ7mYARc1mirgv7VWeTekZ5aaq85VHZnhn8UcVRRqHCRLF_NEWLINEwoG95YFItBJkBqGF8bqfzFoxh3iLmQqadiRx687RgYg4Nr+HE01Vkj0Oa9BkCM7B/np8BNexr4XUCRLF_NEWLINEoVPTImzBSSD4Wzp9gDKuVFq2FLCV61qAi01xs59bq2y+e8h0ygp5MO7rW2H4Mt3qNzvlNPx/HijtCRLF_NEWLINEjvVvAYAJ4W1hfOEukoFX/3JF1gOlogm+LnSiCuIMsZHCCqK8OhwT1HOIR/QVam6uJu9ZBS2okg==
> X-Proofpoint-GUID: 9A1hGUb2ho6L2nTEe2ln7UtKEAjuQl5s
> X-Proofpoint-ORIG-GUID: 9A1hGUb2ho6L2nTEe2ln7UtKEAjuQl5s
> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517,18.0.874 definitions=2022-06-07_08:2022-06-07,2022-06-07 signatures=0
> X-Proofpoint-Spam-Reason: safe
> x-job: 7234667_4033

Your headers confirm what I already suggested. The RFC 5322 from domain is fedex.com which cannot be validated by SPF when using a forwarding service, and the DKIM signature for the FedEx key matching the selector named ‘smtp-out’ does not pass.

Authentication-Results: mx.cloudflare.net; spf=pass; dkim=fail (body hash did not verify); dmarc=pass;

Above are the authentication results as recorded by Cloudflare upon receipt of the message. You can see that the DKIM fails due to the body has not validating. This means that any downstream DMARC checks will fail.

Since you are using the free consumer Gmail service to provide the destination mailbox, it is likely that there isn’t anything that you can do to fix this, as you can’t configure how Gmail handles DMARC on their platform.

It is most plausible that FedEx is DKIM signing on their MTA and the message body is then altered by an outbound filter running on Proofpoint which breaks the hash. You could attempt to let them know about this possibility, but I would set realistically low expectations.

thanks mate, thought as you did, so i looked up this email item in the activity log section of Cloudflare’s email routing page.

both spf and dkim status showed ‘pass’, which leads me to believe that when the email arrived at Cloudflare everything was honky dory.

then somewhere between Cloudflare and gmail something got altered causing the dkim failure.

it’s not beyond impossible that the error is with fedex or their providers, but with a company of that size and resources and email being so critical to their operation it seems a bit implausible.