1

I'm trying to properly set up DKIM, SPF, and DMARC so emails sent from my server are less likely to be seen as spam. I got my first DMARC report and I'm little confused by this part:

  <record>
    <row>
      <source_ip>2a00:1450:400c:c05::236</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>gmail.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>gmail.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

For the moment, please ignore the DKIM part... I'm working on that. The confusing part is the SPF part. I set that to v=spf1 include:_spf.google.com a ~all on my domain. Using dig I can see that ip6:2a00:1450:4000::/36 should be included as an allowed sender on _netblocks2.google.com which is included by _spf.google.com.

In the rest of the report it seems that the IPv4 addresses are all passing the SPF test, but all of the IPv6 addresses are failing. Am I doing anything wrong or is this a bug on Google's side?

Tim Tisdall
  • 623
  • 1
  • 5
  • 17

1 Answers1

1

I think you're running into a problem with domain alignment. Your header-from is example.com. However, the envelope-from is gmail.com. And it's the envelope that gets evaluated SPF domain alignment, and since it doesn't match your domain, it fails for DMARC.

The fix is one of two options:

  1. Have the envelope-from be your domain. Probably not terribly possible if you're outsourcing your mail handling to Google.

  2. Get DKIM working. That way, DKIM records should align and pass, and DMARC on the whole will be considered a pass.

See Also: DMARC.org's FAQ.

Community
  • 1
Christopher Karel
  • 6,442
  • 1
  • 26
  • 34
  • okay, I think this seems to be the case... I'm sending emails in gmail with my domain name as the "from". The email is sent through gmail servers and it adds a "Sender:" with my gmail address on it. Am I understanding that correctly? – Tim Tisdall Aug 07 '14 at 20:59
  • Yeah, that's a decent way of seeing it. More accurately, there are two types of "From" in every E-Mail. Gmail changes one to be your domain, but keeps the other as themselves. Since those two don't match, DMARC considers SPF a failure. – Christopher Karel Aug 08 '14 at 20:15