4

In a nutshell

I've configured a SPF policy on my domain but I receive a dmarc report with an failure. I don't understand why there is this failure.

More context

I've configured the following spf policy for my domain zerowasteparis.fr: v=spf1 include:spf.infomaniak.ch include:servers.mcsv.net include:_spf.google.com ~all. I see that servers.mcsv.net resolves to v=spf1 ip4:205.201.128.0/20 ip4:198.2.128.0/18 ip4:148.105.8.0/21 ?all (I also configured a dkim policy which seems to work just fine).

I don't understand why I received a dmarc report which contains in particular:

  <record>
    <row>
      <source_ip>198.2.190.251</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>zerowasteparis.fr</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>automations.mcsv.net</domain>
        <result>pass</result>
        <selector>k1</selector>
      </dkim>
      <dkim>
        <domain>zerowasteparis.fr</domain>
        <result>pass</result>
        <selector>k1</selector>
      </dkim>
      <spf>
        <domain>mail251.suw12.mcsv.net</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

I don't understand why it contains the line <spf>fail</spf>.

Why I'm puzzled

  • From a tech engineering point of view, if I'm not mistaken 198.2.190.251 is in the range ip4:198.2.128.0/18 (since it represents the range 198.2.128.0 to 198.2.191.255)
  • From a social engineering point of view it would mean that mailchimp spf doc is incorrect, but since their job is to send email, I'm having trouble believing it.

Long story short: I don't understand why I see this failure in this report

gturri
  • 13,807
  • 9
  • 40
  • 57

1 Answers1

3

Mailchimp (like number of other well known ESPs) is designed in a way to use their own email address in MailFrom (RFC5321.MailFrom). The main reason behind this is to handle bounces of campaign emails.

SPF validation performs check if Source/Sender IP is included in SPF record of domain mentioned in MailFrom field.

  1. domain tag in XML file contains domain retrieved from message header's smtp.mailfrom: mail251.suw12.mcsv.net
  2. source_ip tag: 198.2.190.251
  3. The SPF record defined for mail251.suw12.mcsv.net domain: v=spf1 ip4:198.2.190.251 include:spf.mandrillapp.com ?all, i.e sending IP is covered with SPF.

That is why have SPF=pass in auth_results section.

  <spf>
    <domain>mail251.suw12.mcsv.net</domain>
    <result>pass</result>
  </spf>

Unlike SPF, DMARC validation perform the check if domain mentioned in From field (RFC5322.From) matches / aligned with domain mentioned in MailFrom (RFC5321.MailFrom)

  1. rDNS/PTR of 198.2.190.251 from source_ip tag: mail251.suw12.mcsv.net
  2. Domain mentioned in header_from tag: zerowasteparis.fr
  3. Thus, domain in RFC5322.From (zerowasteparis.fr) does not match / not aligned with domain in RFC5321.MailFrom (mcsv.net)

That is why you get SPF=fail in policy_evaluated section.

  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
  </policy_evaluated>
</row>
<identifiers>
  <header_from>zerowasteparis.fr</header_from>
</identifiers>

Apart of above explanation, I would suggest you deploy one of DMARC Analytics and Implementation solutions, listed on DMARC.org website, e.g. EasyDMARC.

Community
  • 1
  • 1
Zonder
  • 56
  • 4