I don't understand DMARC reports regarding my policy

Question

My DMARC settings seems to not work as expected.

First, a few things to note:

• The domain is mydomain.com (not the real one obviously) ;
• The domain and mail provider is gandi.net ;
• I use Amazon SES to send emails from a website using [email protected] ;
• I use Gmail to send and receive emails for [email protected] ;

---

The SPF record is set as TXT on mydomain.com:

"v=spf1 include:_mailcust.gandi.net include:amazonses.com include:_spf.google.com ~all"

• include:_mailcust.gandi.net allows gandi.net to send emails using mydomain.com ;
• include:amazonses.com allows amazonses.com to send emails using mydomain.com ;
• include:google.com allows google.com to send emails using mydomain.com ;
• ~all allows any other servers to send emails using mydomain.com but will result in an SPF check FAIL (softfail)

---

The DMARC record is set as TXT on _dmarc.mydomain.com:

"v=DMARC1; p=quarantine; sp=reject; pct=5; fo=1; rua=mailto:[email protected];"

• p=quarantine delivers emails that failed a SPF/DKIM check and mark them as spam ;
• sp=reject rejects emails sent using an address with a subdomain like [email protected] ;
• pct=5 applies the policy (p and not sp?) to 5% of emails ;
• fo=1 sends reports for DKIM failure OR SPF failure ;

---

Now the weird things, in this DMARC RUA report:

  <record>
    <row>
      <source_ip>40.107.12.85</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>GovSIPF.onmicrosoft.com</domain>
        <result>pass</result>
        <selector>selector1-GovSIPF-onmicrosoft-com</selector>
      </dkim>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>gm1</selector>
      </dkim>
      <spf>
        <domain>administration.gov.pf</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

• The source IP 40.107.12.85 is from outlook.com but I don't use outlook ;
• There is a DKIM block with the domain GovSIPF.onmicrosoft.com, GovSIPF is one of my customer ;
• There is an SPF block with the domain administration.gov.pf which is the domain they use for their email addresses like [email protected] ;

I don't understand why I see a SPF block with the domain administration.gov.pf, does it mean that they sent an email with an address like [email protected] through outlook.com servers ?

---

Another DMARC report a little different:

  <record>
    <row>
      <source_ip>202.90.68.50</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>gm1</selector>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>

• The source IP 202.90.68.50 is from mana.pf, a local ISP but we don't use it ;

Answer 1

The source IP 40.107.12.85 is from outlook.com but I don't use outlook ;

The <source_ip> value is the IP where the original email came from.

It does not necessarily need to be a server you use.

There is a DKIM block with the domain GovSIPF.onmicrosoft.com, GovSIPF is one of my customer ;

DKIM check passed. This is a strong indication that the email was sent using Outlook.

Notice that there is a second DKIM pass auth block for mydomain.com too.

There is an SPF block with the domain administration.gov.pf(...)

SPF checks passed too. This means that the Outlook IP in <source_ip> is authorized to send emails *@administration.gov.pf.

(...)does it mean that they sent an email with an address like [email protected] through outlook.com servers ?

Yes.

And since you don't use Outlook, this most likely was a forwarded email send from one of your servers. DMARC checks pass for the email because the DKIM authentication result for mydomain.com pass (the result is “in alignment”).

Answer 2

You get the report when someone uses your From: and the recipient is respecting your request to have this reported. The report does not necessarily indicate which of those messages were newly originating from machines under your control, and which records pertain to your messages that have been forwarded. You have to process that report yourself with your local knowledge, ideally in some automated fashion. Note that you cannot with certainty tell which message it was, there might have been a significant delay between their receipt and forwarding - only limited by how long you have been using this DKIM key.

If they left your signature intact (DKIM for your domain is still passing), and your signature is signing a reasonable selection of headers, this does not indicate abuse. As long as your messages were not for legal reasons restricted in where they should be forwarded, there is nothing to do here.

does it mean that they sent an email with an address like [email protected] through outlook.com servers

Certainly looks like it, since your first example even has their signature added, and if you lookup the SPF & MX record of that domain, you can tell they indeed usually use outlook for both incoming and outgoing mail. Note that this does not have to have been a manual action, a mailbox in that domain might be setup to simply forward everything.