I recently received a DMARC report from Google alerting me of a few SPF failures with mail originating from IP addresses belonging to Amazon SES. A sample record is as follows (I have replaced our domain with example.com.):
<record>
<row>
<source_ip>54.240.27.187</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>example.com</domain>
<result>pass</result>
</dkim>
<dkim>
<domain>amazonses.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>mail.example.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
Is SPF failing because the header_from
value is example.com
while the SPF domain
value is mail.example.com
?
We use Amazon WorkMail and Amazon SES to send both manual and automated email. The From address
is usually webmaster@example.com
, and we have set our MAIL FROM
domain to mail.example.com
. Therefore I am a little puzzled as to why Google would report the header_from
domain as example.com
rather than mail.example.com
. We have set an appropriate SPF record for both example.com
and mail.example.com
.
Also, I tried sending test emails to a Gmail address using both Amazon WorkMail and Amazon SES. In both cases, SPF passed, as did DKIM and DMARC.