Intermittent SPF fail, something to do with field

Question

My domain is running SPF/DMARC but not DKIM. Just recently we started getting intermittent SPF fails reported in the DMARC aggregate reports (reports are almost all from google, we are not a large volume sender).

Within the same day's report, we can see SPF passes where <header_from> matches <domain> (e.g. ourdomain.net), and SPF fails where <header_from> is the domain (e.g. ourdomain.net) and <domain> contains the mail server FQDN (e.g. server.ourdomain.net).

Our SPF record is: Name @Type TXTContent v=spf1 ip4:[our IP address] ~all

Our DMARC record is: Name _dmarcType TXT Content v=DMARC1; p=none; sp=none; rua=mailto:dmarc@[ourdomain.net]; ruf=mailto:dmarc@[ourdomain.net]; adkim=r; aspf=r; pct=100; ri=86400

Here is a sample DMARC report, santized info in [square brackets]. What I have written as [server.ourdomain.net] matches both our PTR record for our external IP address and what the server is set to provide in its HELO/EHLO response. Thanks in advance for any advice.

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>230072615812425690</report_id>
    <date_range>
      <begin>1579564800</begin>
      <end>1579651199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>[ourdomain.net]</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>[our IP address]</source_ip>
      <count>10</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>[ourdomain.net]</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>[server.ourdomain.net]</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>[our IP address]</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>[ourdomain.net]</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>[ourdomain.net]</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  </feedback>

score 0 · Accepted Answer · answered Jan 24 '20 at 20:42

0

This usually happens with DSN (delivery status notification) messages. In that case the Return-Path is empty and SPF is checked on the EHLO / HELO name.

Best to publish an SPF record for the mail host as well.

answered Jan 24 '20 at 20:42

Reinto

885
6
9

Oh that totally makes sense. I will test and update. – SKaye Jan 24 '20 at 21:16

Intermittent SPF fail, something to do with field

1 Answers1