[SOLVED] Why does my dmarc report show <spf>fail</spf> even though the spf entry says <result>pass</result>?

Why does my dmarc report show <spf>fail</spf> even though the spf entry says <result>pass</result>?

I use Google Workspace with my domain and have set up dmarc, dkim and spf.

Regularly I get dmarc reports like the following, which is from Google:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>6415865656503842843</report_id>
    <date_range>
      <begin>1682985600</begin>
      <end>1683071999</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>test.de</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>test.de</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>test.de</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
      <spf>
        <domain>test.de</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
**        <spf>fail</spf>**
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>test.de</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>test.de</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
**      <spf>
        <domain>gmail.com</domain>
        <result>pass</result>
      </spf>**
    </auth_results>
  </record>
</feedback>

The IP 209.85.220.41 resolves to Google (mail-sor-f41.google.com.), which should be correct imho. Why does it say <spf>fail</spf> when the actual SPF entry says <result>pass</result>?

Is there anything wrong with this result? I have had trouble with my emails getting rejected.

Thank you!

I checked the domain with mxtoolbox and got (as expected)

Status Ok   DMARC Record Published  DMARC Record found
Status Ok   DMARC Policy Not Enabled    DMARC Quarantine/Reject policy enabled
Status Ok   DNS Record Published    DNS Record found

and

v=spf1 include:_spf.google.com ~all
Status Ok   SPF Record Published    SPF Record found
Status Ok   SPF Record Deprecated   No deprecated records found
Status Ok   SPF Multiple Records    Less than two records found
Status Ok   SPF Contains characters after ALL   No items after 'ALL'.
Status Ok   SPF Syntax Check    The record is valid
Status Ok   SPF Included Lookups    Number of included lookups is OK
Status Ok   SPF Type PTR Check  No type PTR found
Status Ok   SPF Void Lookups    Number of void lookups is OK
Status Ok   SPF MX Resource Records Number of MX Resource Records is OK
Status Ok   SPF Record Null Value   No Null DNS Lookups found

So I would expect all "pass" in the email reports.

Solution

It's an alignment failure. SPF passes for gmail.com, but this doesn't match the (organizational) domain that you used in the From address. See this similar answer.