Is GMAIL incorrectly failing SPF?

email google spf dmarc

I have figured it out. Not surprisingly, it was me misinterpreting the report, not Google getting their DMARC implementation wrong :)

The SPF result in the policy evaluated section that I was being confused by (copy posted in OP) is the DMARC evaluated SPF result after considering alignment.

This quote here explains the issue:

Please note that the SPF and DKIM results in the auth_results are raw results, regardless of Identifier Alignment; he results of the DMARC evaluation with Identifier Alignment are in the policy_evaluated section.

I checked the rest of the record and found that the raw results for the same record were, correctly, SPF pass.

So, what the DMARC report was telling me was that, while the SPF result was indeed from outlook.com (and hence was a raw 'pass') the return path header did not match my sending domain, which produces a DMARC evaluation SPF fail. Another reference here.

Basically, do not attempt to read the XML reports directly - they are hard for humans! I found this DMARC xml parser which does a fabulous job of allowing you to clearly see what the DMARC report is trying to tell you.

Related

Exclude a local subnet from StrongSwan VPN
IIS reports "404 Not Found" error for folders created in WSL Bash
Jenkins: Using Parameterized Trigger Plugin via Pipeline Script
2018... still no way to change the region of an App Engine project or delete it?
How to filter journalctl output by process name?
Docker + Nginx + PHP-FPM error: [emerg] 1#1: host not found in upstream [closed]
Is there a need for WAF in static website front with REST API?
OpenVPN persist-tun option - what's the point?
How to configure cross region VPC peering on AWS with Terraform
Ansible task write to local log file
SSH choice of second factor on login
Can I encrypt a whole pool with ZFSoL 0.8.1?