I have both SPF and DKIM enabled on my domain. This domain is for a small company and we only have the one server (hMailServer if anyone thinks it's relevant).
Recently I decided to enabled DMARC reporting and noticed something very peculiar about the results. Some messages pass DKIM and are DKIM aligned (and thus pass DMARC), but come from an IP address I was not expecting (and are failing SPF). As I understand it emails from my server should only come from my static IP (which i have a SPF record for).
If they were attempted spammers trying to use my domain then they should not pass the DKIM. After a bit of researched I decided to try rotating my DKIM key but it is still happening.
How could this be happening and should I be concerned about it?