Google DMARC Support, DKIM and SPF fail

dmarc

This morning I received my second email from noreply-dmarc-support and I really don’t understand why. I have tried looking it up and I have seen through forums here that it has to do with emails, but I haven’t sent anything. Would this mean someone tried filling out my form on my website and it didn’t go through? I am new to all of this and don’t know coding so when I was sent the code it meant a whole lot of nothing to me. It said

<dkim>fail</dkim>
<spf>fail</spf>

which i’m assuming is bad because it says fail. Can anyone tell me why I’m receiving this and how to fix this if it’s a problem please? This is the full email it sent:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>9553516014094530914</report_id>
    <date_range>
      <begin>1603756800</begin>
      <end>1603843199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>celestelili.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>72.167.234.241</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>celestelili.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>p3nlwpweb453.prod.phx3.secureserver.net</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Yes, this is a problem. It shows that some of your legitimate email is being rejected as spam.

Let us take a quick look at how your domain's mail is configured in the DNS.

$ host celestelili.com
celestelili.com has address 72.167.241.46
celestelili.com mail is handled by 0 celestelili-com.mail.protection.outlook.com.

We see here that you have a server (presumably a web server) at 72.167.241.46, and that your domain's mail is handled by Office 365.

But now let us look at your SPF record.

$ host -t txt celestelili.com
celestelili.com descriptive text "v=spf1 include:spf.protection.outlook.com -all"
# (other TXT records omitted)

Your SPF record says that the only legitimate mail from your domain will be sent by Office 365.

Now let's look at the DMARC report you got. The interesting bit is the single record:

  <record>
    <row>
      <source_ip>72.167.234.241</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>celestelili.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>p3nlwpweb453.prod.phx3.secureserver.net</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>

This record shows that Google received some email that was from GoDaddy's SMTP servers, presumably sent from your web site, but it was sent directly from GoDaddy's server, not from Office 365.

As you recall, the SPF record says that only Office 365 can send mail for your domain. Not your web server or any other server. This is why it gets marked as spam, and why you received this DMARC report.

Presumably your own web site should be allowed to send email for your domain. So you can fix the problem by adding GoDaddy's SPF record include to your SPF record.

So, your old SPF record is:

v=spf1 include:spf.protection.outlook.com -all

And it should change to:

v=spf1 include:secureserver.net include:spf.protection.outlook.com -all

DMARC is a mechanism to provide some assurances about email from addresses in your domain, see Wikipedia's explanation. In particular for your domain you have a DMARC policy for remote systems to send you feedback reports - note your email address specified in the DMARC policy record:

$ dig txt _dmarc.celestelili.com +short
"v=DMARC1; p=quarantine; rua=mailto:[email protected]"

as I'm writing I see that Michael Hampton has explained what the report means, so continue by reading his answer.

If you're not the right person to be receiving these reports for your domain you should adjust the DMARC policy record above by modifying the _dmarc entry for the domain in your DNS.

Related

"Inverse" of the inscribed angle theorem
Trying to understand Sequent Calculus inference rules for quantifiers $\forall$ and $\exists$.
Is every sequence defined on $\mathbb{R}$ just a countable subset of $\mathbb{R}$?
Family of generators of a module over a local ring [duplicate]
Is there a deeper reason why exponentiation is not associative?
A normal distribution problem I am not getting
Convergence of an integral under a condition [closed]
Ground plan of Forward direction - Let $p$ be an odd prime. Prove $x^{2} \equiv -1 \; (mod \, p)$ has a solution $\iff p\equiv 1 \; (mod 4)$
To which 'court' does 'courtyard' refer?
Do I use a comma between "whimsical" and "clay" in the sentence below? [duplicate]
Plural of "camera obscura"
Meaning of "For donkey's ears?"