0

I am seeing something like this in my daily report

<row>
  <source_ip>209.85.220.73</source_ip>
  <count>1</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
  </policy_evaluated>
</row>

I need to make sure this was not a critical email that went out. As a superadmin in g-suite, how do I view these emails that say spf fail? Did the remote end deliver the email or bounce it? I am trying to get more visibility here. Any ideas?

thanks, Dean

Dean Hiller
  • 911
  • 4
  • 15
  • 35

1 Answers1

1

It seems that the information you shared is sanitized as some fields are not present. You can see an example of a DMARC Report here

The information that you kindly shared, even though it seems to be sanitized. It indicates that the policy for this domain (your domain) was set to NONE, by the time the message was received by the SMTP-IN server.

As no policy to REJECT or QUARANTINE was established. Most likely this email was not rejected by the SMTP-IN of the recipients. I say most likely as Mail Receivers MAY deviate from a Domain Owner's published policy during message processing in very specific scenarios.

   <policy_evaluated>
        <disposition>none</disposition>

As per [RFC7489 under Policy] 2

¨A Mail Receiver implementing the DMARC mechanism SHOULD make a best-effort attempt to adhere to the Domain Owner's published DMARC policy when a message fails the DMARC test.¨

In order for these messages to be processed (REJECT or QUARANTINE), the DMARC policy must specify any of those actions. Once done, SMTP-IN Server that receives Inbound messages pretending to be sent from your domain will take action accordingly.

As an Admin, you don´t have visibility over outbound emails sent from outside your domain. What you can do is make sure you have SPF, DKIM, and DMARC (REJECT or QUARANTINE) set up so emails impersonating your domain get filtered by SMTP-IN Servers of the recipients.

I hope this helps.

Community
  • 1
Raynel A.S
  • 235
  • 1
  • 4