I have a DMARC policy set for a domain like so, to combat email spoofing:
v=DMARC1;p=quarantine;rua=mailto:me@example.com;pct=100;ruf=mailto:me@example.com;fo=0:d:s;aspf=r;adkim=r;
Today I received a report that an email was rejected with the following message:
This is an email abuse report for an email message received from IP 209.85.128.47 on Wed, 13 May 2020 11:49:50 +0200.
The message below did not meet the sending domain's DMARC policy.
From what I understand, an email should only be rejected if it does not meet both the SPF-policy and the DKIM-policy. In fact, I should only receive failure reports if both policies do not match via fo=0:d:s
. The SPF-policy of this domain is:
v=spf1 a mx include:_spf.google.com include:amazonses.com ip4:12.34.56.78 include:servers.mcsv.net -all
When I lookup the SPF-record of _spf.google.com
, it shows me:
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
When I then lookup _netblocks.google.com
, it shows me:
v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all
The ip that was rejected was 209.85.128.47, but it seems to be included in 209.85.128.0/17. Do I incorrectly understand DMARC policies, am I overlooking something, or did the receiving host do something odd?
SPF is always considered of From Domain
. Header From
and From Domain
are 2 different things. Header From
is the part after @ in email address. In your case it's example.com
. But what happens is that it checks SPF from From Domain
. Let's say in this case it is us-west-2.amazonses.com
. And In DMARC it also checks the mail is being sent should have same domains in Header From
and From Domain
. Which is different in this case. That is the main reason of it's being failed. It is known as SPF Alignment in DMARC. And similarly goes for DKIM as well.