1

Here are two records from reports, with the actual domain name of my client replaced with "example.com". In the first one, SPF is marked "fail" above under "policy_evaluated" and then "pass" below under auth_results. I find this confusing. This is email sent by a service the client pays for, so we do want these emails delivered if they are indeed legitimately coming from that service. Do I need to do more to have SPF set up for that service?

The second shows all failures (and the IP traces back to China, I believe, where we do not operate) so this should not be delivered. Why does Google mark this as "softfail" and not just "fail"?

  <record>  
    <row>   
      <source_ip>204.28.11.160</source_ip>  
      <count>1</count>  
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>pass</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>example.com</header_from>    
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>example.com</domain>    
        <selector>sl1</selector>    
        <result>pass</result>   
      </dkim>   
      <spf> 
        <domain>bounces.salsalabs.org</domain>  
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record> 

  <record>
    <row>
      <source_ip>60.23.112.175</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>example.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
Paul
  • 2,755
  • 6
  • 24
  • 35
Devin Ceartas
  • 1,458
  • 9
  • 12

1 Answers1

0

The policy_evaluated section is referring to the alignment checks against the DMARC record. The results in this section communicate the results of the DMARC SPF and DKIM alignment checks, which are different from the SPF and DKIM checks.

The first record fails this test because the message is out of alignment with the SPF record. This is most commonly caused by not updating the SPF record with the sending server (or service).

If your current SPF record is:

v=spf1 a mx ~all

And you use a separate sending server at IP address 203.0.113.158, a newsletter service that advises to include their SPF record at _spf.example.net, and a separate messaging service that advises to include 192.0.2.0/24, then your SPF record would be:

v=spf1 a mx ip4:203.0.113.158 ip4:192.0.2.0/24 include:_spf.example.net ~all

Note the disposition is none because you have your requested mail receiver policy tag and value set to none (p=none), so your DMARC record will not be enforced by receiving servers. You probably have a policy something like:

v=DMARC1; p=none; rua=mailto:username@example.com

The none policy should be used while evaluating a record or new service. To enforce this policy, the record can be changed to quarantine, which instructs receiving servers to place failed messages in the spam folder, or reject, which instructs receiving servers to discard the message.

v=DMARC1; p=quarantine; rua=mailto:username@example.com

The auth_results section is referring to the SPF check. SPF check failure type is determined by the qualifier published in your SPF record, which based on the report is currently softfail (~).

To switch to fail if currently using the ~ qualifier with something like:

v=spf1 a mx ~all

Switch to the fail qualifier (-) for checks that do not match:

v=spf1 a mx -all
Paul
  • 2,755
  • 6
  • 24
  • 35