6

I have both SPF and DKIM enabled on my domain. This domain is for a small company and we only have the one server (hMailServer if anyone thinks it's relevant).

Recently I decided to enabled DMARC reporting and noticed something very peculiar about the results. Some messages pass DKIM and are DKIM aligned (and thus pass DMARC), but come from an IP address I was not expecting (and are failing SPF). As I understand it emails from my server should only come from my static IP (which i have a SPF record for).

If they were attempted spammers trying to use my domain then they should not pass the DKIM. After a bit of researched I decided to try rotating my DKIM key but it is still happening.

How could this be happening and should I be concerned about it?

Fr33dan
  • 133
  • 8

2 Answers2

7

I work on the Postmark team and this is a question we get often. When DKIM passes and SPF fails like this it's usually because of message forwarding.

For example. Say someone from your domain sends to someone outside your domain, who then forwards their message to their Gmail account automatically. That message should pass DKIM, but not align with SPF because it originates from a source not in your policy.

Nothing out of the ordinary or to be too concerned about. More info here if you're interested.

shanerice
  • 86
  • 2
  • Thank you! It is something I was trying to understand from long time. One question: this means DMARC has to be usually set to move in spam only if BOTH SPF and DKIM fails, hasn't it? – Gianpiero Aug 28 '19 at 11:04
1

This typically occurs when your email message has been forwarded.

As mentioned above anytime someone forwards an email it may break SPF authentication or alignment.

We just finished creating The Ultimate Guide to DMARC Reporting in 2022.

We have a few DMARC examples that show you the difference between aggregate reports and failure (forensic) reports in case you wanted to learn more about DMARC.