spfdmarc

Email did not match DMARC policy, while SPF seems to match


I have a DMARC policy set for a domain like so, to combat email spoofing:

v=DMARC1;p=quarantine;rua=mailto:me@example.com;pct=100;ruf=mailto:me@example.com;fo=0:d:s;aspf=r;adkim=r;

Today I received a report that an email was rejected with the following message:

This is an email abuse report for an email message received from IP 209.85.128.47 on Wed, 13 May 2020 11:49:50 +0200.
The message below did not meet the sending domain's DMARC policy.

From what I understand, an email should only be rejected if it does not meet both the SPF-policy and the DKIM-policy. In fact, I should only receive failure reports if both policies do not match via fo=0:d:s. The SPF-policy of this domain is:

v=spf1 a mx include:_spf.google.com include:amazonses.com ip4:12.34.56.78 include:servers.mcsv.net -all

When I lookup the SPF-record of _spf.google.com, it shows me:

v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all

When I then lookup _netblocks.google.com, it shows me:

v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all

The ip that was rejected was 209.85.128.47, but it seems to be included in 209.85.128.0/17. Do I incorrectly understand DMARC policies, am I overlooking something, or did the receiving host do something odd?


Solution

  • SPF is always considered of From Domain. Header From and From Domain are 2 different things. Header From is the part after @ in email address. In your case it's example.com. But what happens is that it checks SPF from From Domain. Let's say in this case it is us-west-2.amazonses.com. And In DMARC it also checks the mail is being sent should have same domains in Header From and From Domain. Which is different in this case. That is the main reason of it's being failed. It is known as SPF Alignment in DMARC. And similarly goes for DKIM as well.