[SOLVED] Why does my dmarc report show <spf>fail</spf> even though the spf entry says <result>pass</result>?

Why does my dmarc report show <spf>fail</spf> even though the spf entry says <result>pass</result>?

I use Google Workspace with my domain and have set up dmarc, dkim and spf.

Regularly I get dmarc reports like the following, which is from Google:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>6415865656503842843</report_id>
    <date_range>
      <begin>1682985600</begin>
      <end>1683071999</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>test.de</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>test.de</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>test.de</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
      <spf>
        <domain>test.de</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
**        <spf>fail</spf>**
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>test.de</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>test.de</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
**      <spf>
        <domain>gmail.com</domain>
        <result>pass</result>
      </spf>**
    </auth_results>
  </record>
</feedback>

The IP 209.85.220.41 resolves to Google (mail-sor-f41.google.com.), which should be correct imho. Why does it say fail when the actual SPF entry says pass?

Is there anything wrong with this result? I have had trouble with my emails getting rejected.

Thank you!

I checked the domain with mxtoolbox and got (as expected)

Status Ok DMARC Record Published DMARC Record found Status Ok DMARC Policy Not Enabled DMARC Quarantine/Reject policy enabled Status Ok DNS Record Published DNS Record found

and

v=spf1 include:_spf.google.com ~all Status Ok SPF Record Published SPF Record found Status Ok SPF Record Deprecated No deprecated records found Status Ok SPF Multiple Records Less than two records found Status Ok SPF Contains characters after ALL No items after 'ALL'. Status Ok SPF Syntax Check The record is valid Status Ok SPF Included Lookups Number of included lookups is OK Status Ok SPF Type PTR Check No type PTR found Status Ok SPF Void Lookups Number of void lookups is OK Status Ok SPF MX Resource Records Number of MX Resource Records is OK Status Ok SPF Record Null Value No Null DNS Lookups found

So I would expect all "pass" in the email reports.

Solution

It's an alignment failure. SPF passes for gmail.com, but this doesn't match the (organizational) domain that you used in the From address. See this similar answer.