Receiving DMARC reports for emails I do not send

Question

I am hosting the email for my domain (lets call it example.com) on google apps (free legacy edition). I recently enabled the DMARC reports so I now get a daily report for the emails sent from my domain.

My problem is that sometimes I get reports from google.com for emails sent from my domain having spf and dkim with a value of pass. This means the emails were actually sent and signed from my google apps account and is not someone pretending to be my account. However I cannot find these sent emails in any of the sent items folders of any of my accounts.

Checking IP logs from the google security pages does not indicate any suspicious IP activity.

Is there any way the google.com mailservers may be sending me DMARC reports for an email I did not send? Or do I have a virus that may somehow be sending information from the session on my browser and then deleting it from the sent items folder?

I should also mention that since I am not sending much email from this account these reports do not come every day and that when they do I can usually match the emails sent with the report. Today though I could not as I did not send any emails from gmail

Today's DMARC report follows with my domain changed to example.com. The report file name was google.com!example.com!1452384000!1452470399.xml. You will notice one record specifying email sent from amazonses.com. That email was legit and was actually sent by me. But the other record with source_ip of 2607:f8b0:4003:c06::248 was not sent by me.

Can anyone explain what I am seeing?

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>9818071788624937284</report_id>
    <date_range>
      <begin>1452384000</begin>
      <end>1452470399</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>example.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>54.240.6.222</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>eu-west-1.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2607:f8b0:4003:c06::248</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
      </dkim>
      <spf>
        <domain>example.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

The spf record is "v=spf1 include:_spf.google.com include:amazonses.com ~all" since I also send mail through amazonses.

The DMARC record is "v=DMARC1; p=none; pct=100; sp=none; rua=mailto:postmaster@example.com;"

Answer 1

I have finally figured out why I was seeing these DMARC reports about properly signed email sent from my domain.

As I mentioned in the question, my DMARC record was "v=DMARC1; p=none; pct=100; sp=none; rua=mailto:postmaster@example.com;"

By default, Google apps will not deliver emails sent to postmaster@example.com to any of your mailboxes. In order for me to receive these emails I had to create a group with the same name and add myself as a member of this group. This setup step is explained in this Google Apps Help Page.

Turns out however that the email forwarded by the group to my mailbox was counted as an email sent from my domain which meant that I also received a DMARC report for it. This created a feedback loop so I received a DMARC report every day because a DMARC report was forwarded the previous day.

Once I created a new account called dmarc@example.com to accept the DMARC emails and changed my DNS records to "v=DMARC1; p=none; pct=100; sp=none; rua=mailto:dmarc@example.com;" the problem went away.

Answer 2

DKIM is for validating the server sending the mail. While I haven't played with it very much, as I understand it, you can have a mail server at example.net use its own DKIM signature for sending emails for example.com. For example, I use Google Apps for domain without a DKIM record for that service, yet it still passes DKIM with the results such as from=example-com.123456789.gappssmtp.com; dkim=pass (ok)

Based on the SPF record, I suspected that a server using one of your services and its own DKIM would pass DMARC, and, just as I guessed, 2607:f8b0:4003:c06::248 is owned by Google and has rDNS of mail-oi0-x248.google.com.

That being said, are you sure that you aren't the one sending that mail? Perhaps generated from some other service or server you use? Heck, could Google be including the aggregated report email it sends to you?