My DMARC settings seems to not work as expected.
First, a few things to note:
- The domain is
mydomain.com
(not the real one obviously) ; - The domain and mail provider is
gandi.net
; - I use Amazon SES to send emails from a website using
[email protected]
; - I use Gmail to send and receive emails for
[email protected]
;
The SPF record is set as TXT
on mydomain.com
:
"v=spf1 include:_mailcust.gandi.net include:amazonses.com include:_spf.google.com ~all"
include:_mailcust.gandi.net
allows gandi.net to send emails usingmydomain.com
;include:amazonses.com
allows amazonses.com to send emails usingmydomain.com
;include:google.com
allows google.com to send emails usingmydomain.com
;~all
allows any other servers to send emails usingmydomain.com
but will result in an SPF check FAIL (softfail)
The DMARC record is set as TXT
on _dmarc.mydomain.com
:
"v=DMARC1; p=quarantine; sp=reject; pct=5; fo=1; rua=mailto:[email protected];"
p=quarantine
delivers emails that failed a SPF/DKIM check and mark them as spam ;sp=reject
rejects emails sent using an address with a subdomain like[email protected]
;pct=5
applies the policy (p
and notsp
?) to 5% of emails ;fo=1
sends reports for DKIM failure OR SPF failure ;
Now the weird things, in this DMARC RUA report:
<record>
<row>
<source_ip>40.107.12.85</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>GovSIPF.onmicrosoft.com</domain>
<result>pass</result>
<selector>selector1-GovSIPF-onmicrosoft-com</selector>
</dkim>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
<selector>gm1</selector>
</dkim>
<spf>
<domain>administration.gov.pf</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
- The source IP
40.107.12.85
is fromoutlook.com
but I don't use outlook ; - There is a DKIM block with the domain
GovSIPF.onmicrosoft.com
, GovSIPF is one of my customer ; - There is an SPF block with the domain
administration.gov.pf
which is the domain they use for their email addresses like[email protected]
;
I don't understand why I see a SPF block with the domain administration.gov.pf
, does it mean that they sent an email with an address like [email protected]
through outlook.com servers ?
Another DMARC report a little different:
<record>
<row>
<source_ip>202.90.68.50</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
<selector>gm1</selector>
</dkim>
<spf>
<domain>mydomain.com</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
- The source IP
202.90.68.50
is frommana.pf
, a local ISP but we don't use it ;