DMARC Email SPF policy_evaluated & auth_result have inconsistent status

Some ( but not all ) of the emails from our service are flagged as phishing by gmail and spam by hotmail.

The emails being marked as phishing are sent from an application deployed on EC2 VMs which use amazon SES to do the actual sending. The application sends other emails which do not get flagged (we have 4 kind of emails sent by the app at the moment ).

We also have a user using an MS exchange account hosted on OVH sending emails from this domain which is why the spf records include an ovh entry.

We have configured the following records on the domain :

_amazonses.mydomain.com.    1799    IN  TXT "JiAZ9E5gIc7VbPfMI4rYSBGZJeTe3lTF+eigtVUF1fg="
_amazonses.mydomain.com.    1799    IN  TXT "vkSOtQqrtz2frIPg+6SeU7CmCenkTPjjvZdCQe/u0Qk="
_dmarc.mydomain.com.    299 IN  TXT "v=DMARC1\;p=none\;rua=mailto:[email protected]"
2anucjune6cx5dfjwtpg5w7xi5bivkdi._domainkey.mydomain.com. 1799 IN CNAME 2anucjune6cx5dfjwtpg5w7xi5bivkdi.dkim.amazonses.com.
5m7pppm63mxlxz3w3al3juxlgwb4j67m._domainkey.mydomain.com. 1799 IN CNAME 5m7pppm63mxlxz3w3al3juxlgwb4j67m.dkim.amazonses.com.
7tpgaubzvve5ekkq3pyu7rhmrxhgif5f._domainkey.mydomain.com. 1799 IN CNAME 7tpgaubzvve5ekkq3pyu7rhmrxhgif5f.dkim.amazonses.com.
mydomain.com.       299 IN  TXT "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"
mydomain.com.       299 IN  SPF "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"

Here are the DMARC reports we get from google :

  <record>
    <row>
      <source_ip>54.240.6.219</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>eu-west-1.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

and here is one from hotmail.com

<record>
  <row>
    <source_ip>54.240.6.212</source_ip>
    <count>1</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>mydomain.com</header_from>
  </identifiers>
  <auth_results>
    <spf>
      <domain>eu-west-1.amazonses.com</domain>
      <result>pass</result>
    </spf>
    <dkim>
      <domain>mydomain.com</domain>
      <result>pass</result>
    </dkim>
  </auth_results>

As you can see the SPF entry for policy_evaluated has a fail status, however the auth_results list spf as being pass. What can explain the incoherent statuses ? Can this incoherence be the source of our mails being flagged as phishing/spam ?


Solution 1:

This appears to be due to DMARC domain alignment issues. As indicated by the report, the domain for the SPF authentication result was "eu-west-1.amazonses.com", which is non-aligned with the header_from of "mydomain.com". Why DMARC is SPF evaluating with the amazonses.com domain, I don't know. I have the same issue and have not figure out how to resolve it. From the DMARC draft:

   Example 3.  This record indicates a single message matching this set
   of data points.  The DMARC disposition for this message was "reject"
   based on DMARC aligned results for SPF and DKIM of "fail" and the
   domain's reject policy.  There was no DKIM signature on this message,
   as in Example 1.  The SPF authentication result was "pass" with a
   MAILFROM domain of "classifiedads.com".  The SPF domain is not
   aligned with the header From domain, causing the DMARC aligned SPF
   result to be "fail".

   <record>
      <row>
         <source_ip>65.61.105.5</source_ip>
         <count>1</count>
         <policy_evaluated>
            <disposition>reject</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
            </policy_evaluated>
         </row>
      <identifiers>
         <header_from>facebook.com</header_from>
         </identifiers>
      <auth_results>
         <dkim>
            <domain></domain>
            <result>none</result>
            </dkim>
         <spf>
            <domain>classifiedads.com</domain>
            <result>pass</result>
            </spf>
         </auth_results>
      </record>

Solution 2:

This is not likely to be the cause of your messages being flagged as phishing/spam. Your <policy_evaluated> elements show that you are passing DKIM and thus you are passing DMARC as a whole.

the SPF entry for policy_evaluated has a fail status, however the auth_results list spf as being pass. What can explain the incoherent statuses ?

The auth_results do not take identifier alignment into account while the overall DMARC evaluation does, which is why the auth_results for SPF can be pass and the overall SPF results can be fail.

Why is SPF evaluated against the amazonses.com domain rather than yours though? Unlike DKIM, SPF is not validating the domain name in a From header (which would be your domain). It validates the IP address of the SMTP sender. In this case that is an amazon IP address, which correctly passes SPF.

References:

https://www.rfc-editor.org/rfc/rfc7489

http://sesblog.amazon.com/post/Tx3IREZBQXXL8O8/SPF-and-Amazon-SES