Why does spf fail in DMARC report from Google?

I recently received a DMARC report from Google alerting me of a few SPF failures with mail originating from IP addresses belonging to Amazon SES. A sample record is as follows (I have replaced our domain with example.com.):

  <record>
    <row>
      <source_ip>54.240.27.187</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>mail.example.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

Is SPF failing because the header_from value is example.com while the SPF domain value is mail.example.com?

We use Amazon WorkMail and Amazon SES to send both manual and automated email. The From address is usually [email protected], and we have set our MAIL FROM domain to mail.example.com. Therefore I am a little puzzled as to why Google would report the header_from domain as example.com rather than mail.example.com. We have set an appropriate SPF record for both example.com and mail.example.com.

Also, I tried sending test emails to a Gmail address using both Amazon WorkMail and Amazon SES. In both cases, SPF passed, as did DKIM and DMARC.


DMARC compares the RFC5322.From domain with the SPF-authenticated domain. In your report, we can see that the RFC5322.From domain is example.com and the SPF-authenticated domain is mail.example.com.

The aspf tag is used to indicate whether the DMARC SPF alignment test should be strict (s) or relaxed (r), with relaxed being the default.

A DMARC record set with aspf=r value or no aspf tag will verify the RFC5322.From organizational domain matches the SPF-authenticated organizational domain. Your record would pass with this alignment because the organizational domains example.com for both.

A DMARC record with aspf=s value will verify an exact DNS domain match for the RFC5322.From domain and the SPF-authenticated domain.

The DMARC test has failed because aspf=s is configured in your DMARC record and the RFC5322.From domain of example.com and the SPF-authenticated domain of mail.example.com are not the same.