We have set up DMARC and have been getting reports (policy is still set as "none"). I loaded them up in the DMARC XML-to-Human Converter (dmarcian.com) and most look great and 100% compliance. But we have gotten some from Google that showed up as Forwarder and some of those did not have DMARC compliance. I want to figure out if some of those are legit and things we need to work on, or they are correctly identified as non-compliant and would be rejected if we set policy to "reject".
I see dmarcian.com shows them as Gmail / Apps Forwarding.
In the XML, I see policy_evaluated shows a pass/fail for DKIM And SPF. Also auth_results shows a result for both as well. What are each of these? Why are they different sometimes? Is there no overall DMARC compliance tag? Which ones indicate DMARC compliance... the policy_evaluated?
In the 3 examples below, the source_ip is not our mail server's IP like for the rest of them. I've found it's actually Google's IP on these, except Example 4..
Example 1 Here is one example that looks bad, right? fail, fail in policy_evaluated. I don't recognize the other domain at all, except gappssmtp.com must be Google Apps I'm guessing.
<record>
<row>
<source_ip>209.85.220.69</source_ip>
<count>24</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>someotherdomain-com.notourselector.gappssmtp.com</domain>
<result>pass</result>
<selector>notourselector</selector>
</dkim>
<spf>
<domain>someotherdomain.com</domain>
<result>none</result>
</spf>
</auth_results>
</record>
Example 2 How about this? The otherdomain I actually recognize is the same domain as someone that we email with currently. Does this mean that they are trying to send as our domain or what? Or they forwarded an email they originally received from us (explaining why DKIM passed). But why does it show up here? I saw another one like this with a different domain matching that of someone we email with as well.
<record>
<row>
<source_ip>209.85.220.41</source_ip>
<count>7</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.com</domain>
<result>pass</result>
<selector>ourselector</selector>
</dkim>
<spf>
<domain>someotherdomain.com</domain>
<result>none</result>
</spf>
</auth_results>
</record>
Example 3
<record>
<row>
<source_ip>209.85.220.41</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.com</domain>
<result>fail</result>
<selector>ourselector</selector>
</dkim>
<spf>
<domain>gmail.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
Example 4 I found this source_ip is associated with the domain that appears in the email address of someone we email with.
<record>
<row>
<source_ip>64.239.243.200</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>ourdomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>ourdomain.com</domain>
<result>pass</result>
<selector>ourselector</selector>
</dkim>
<spf>
<domain>ourdomain.com</domain>
<result>neutral</result>
</spf>
</auth_results>
</record>
Any help digesting these is greatly appreciated!