Why does spf fail in DMARC report from Google?

amazon-web-services google spf dkim dmarc

I recently received a DMARC report from Google alerting me of a few SPF failures with mail originating from IP addresses belonging to Amazon SES. A sample record is as follows (I have replaced our domain with example.com.):

  <record>
    <row>
      <source_ip>54.240.27.187</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>mail.example.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

Is SPF failing because the header_from value is example.com while the SPF domain value is mail.example.com?

We use Amazon WorkMail and Amazon SES to send both manual and automated email. The From address is usually [email protected], and we have set our MAIL FROM domain to mail.example.com. Therefore I am a little puzzled as to why Google would report the header_from domain as example.com rather than mail.example.com. We have set an appropriate SPF record for both example.com and mail.example.com.

Also, I tried sending test emails to a Gmail address using both Amazon WorkMail and Amazon SES. In both cases, SPF passed, as did DKIM and DMARC.


DMARC compares the RFC5322.From domain with the SPF-authenticated domain. In your report, we can see that the RFC5322.From domain is example.com and the SPF-authenticated domain is mail.example.com.

The aspf tag is used to indicate whether the DMARC SPF alignment test should be strict (s) or relaxed (r), with relaxed being the default.

A DMARC record set with aspf=r value or no aspf tag will verify the RFC5322.From organizational domain matches the SPF-authenticated organizational domain. Your record would pass with this alignment because the organizational domains example.com for both.

A DMARC record with aspf=s value will verify an exact DNS domain match for the RFC5322.From domain and the SPF-authenticated domain.

The DMARC test has failed because aspf=s is configured in your DMARC record and the RFC5322.From domain of example.com and the SPF-authenticated domain of mail.example.com are not the same.

Related

What does "Interface xxx matches multiple shared networks" means in the context of VLANs?
OpenLDAP : Confidentiality required for ldapmodify (ldapi://)
How do I disable sshd algorithms?
How do I Generate a Bearer Token for cURL to Get Thru IAP (GCP)?
SSL certificates apparently confusing different websites
What is the default configuration for logrotate.conf in Ubuntu?
NFS server daemon fails to start at boot
Can I safely connect a USB 2.0/1.1 internal pin block to a USB3.0 motherboard header?
Move Kaspersky Virus Definitions Update to Another Computer
Stack every nth column under neath each other
How to search only the filename for a substring in Windows?
Windows: Changing an External Hard Drive's Drive Letter