dmarc. Why do I receive failed SPF or DKIM authentication reports for forwarders?

email spf dkim amazon-ses dmarc

I set _dmarc to see my email authentication reports (in case it fails).

like that 

"v=DMARC1;p=quarantine;pct=100;rua=mailto:[email protected]"

And I receive these reports form Google.

a report I receive my emails are good, because they are comming from AWS SES and all configured fine, it comes like that 

<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>

BUT sometimes I get records like this

<record>
  <row>
    <source_ip>209.85.220.41</source_ip>
    <count>1</count>
    <policy_evaluated>
    <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>mydomain.com</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>mydomain.com</domain>
      <result>pass</result>
      <selector>xxx</selector>
    </dkim>
    <dkim>
      <domain>amazonses.com</domain>
      <result>pass</result>
      <selector>gggxxx</selector>
    </dkim>
    <spf>
      <domain>gmail.com</domain>
      <result>pass</result>
    </spf>
  </auth_results>
</record>

And I understand that someone has forwarded my email but without overwriting headers and this someone was gmail.

Why gmail doesn't overwrite headers and why should I care about forwarding at all? They only suppose to send me emails when it is my problem, right?

Am I confusing something?


Testing a few assumptions here:

Why gmail doesn't overwrite headers...?

Server-side / automated forwards are usually behaving this way: keeping the original sender in the header.from and changing the envelope from (bounce-address) to the service forwarding the email. When an aligned DKIM signature is present and as long as signed fields are not altered, DKIM will successfully authenticate the message and DMARC will pass. If no DKIM signature is found, DMARC will fail.

They only suppose to send me emails when it is my problem, right?

No. DMARC policy records containing a rua tag are requesting receiving servers to periodically send an aggregate report of all email received that was sent on behalf of the domain in the header.from field. The receiving server should not make assumptions (whose fault it is) on what is the reason for a specific check to fail (in this case misalignment of domains used in header.from and envelope from).

Related

ValueError: Expected object or value when reading json as pandas dataframe
Fatal Error HRESULT=0x80131c08 while debugging in Visual Studio 2010
Stop View flexing react native
How to programmatically set a localStorage with increasing values?
How to fix Command PhaseScriptExecution failed with a nonzero exit code on flutter run in macOS?
nginx controller and ingress - how is nginx controller and ingress linked?
How can I reduce the time complexity of the given python code?
Next.js explosion of crawlable files
How do I take a users input and display a greeting on the screen using .textContent in javascript?
AttributeError: 'generator' object has no attribute 'to_sql' While creating datframe using generator
Python - Kivy: AttributeError: 'super' object has no attribute '__getattr__' when trying to get self.ids
Spec - how to update a tree list keeping current selection?