1

I do not understand the fail results in the following spf report.

Why is it that in the <policy_evaluated> section there are fail tags and in the following <auth_results> everything passes?

Here is our spf record: "v=spf1 mx a include:amazonses.com ~all"

    <?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>10168101214609039763</report_id>
    <date_range>
      <begin>1602806400</begin>
      <end>1602892799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>schlossberlepsch.de</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>reject</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>54.240.48.132</source_ip>
      <count>4</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>schlossberlepsch.de</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>schlossberlepsch.de</domain>
        <result>pass</result>
        <selector>u32rudoqdsij3cpvxopve4co5vuh4wum</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>224i4yxa5dv7c2xz3womw6peuasteono</selector>
      </dkim>
      <spf>
        <domain>amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  
  
</feedback>
architjn
  • 1,397
  • 2
  • 13
  • 30
Fabianus
  • 633
  • 7
  • 16
  • 2
    This is answered very nicely [on superuser.com](https://superuser.com/questions/715926/dmarc-email-spf-policy-evaluated-auth-result-have-inconsistent-status#722129). In short, it's because the SMTP envelope sender domain is amazon's, and not yours. You can fix it by following [amazon's docs](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html). – Synchro Oct 18 '20 at 17:09
  • Hey @Synchro, you gave the kick. I had this already configured but with an error in the dns entries. Thanks - I would love to upvote your reply if you do it again as an answer. – Fabianus Oct 25 '20 at 16:21
  • 1
    I only pointed at the answer - give that one an upvote! – Synchro Oct 25 '20 at 16:23

2 Answers2

1

SPF is failing because of alignment. If you check SPF under auth_results you will see the SPF domain is amazonses.com. Which is not aligning with your domain. So to align, header_from and SPF domain should match either with help of the subdomain (Relaxed Alignment) or root domain (Strict Alignment).

To do so you have to head over to Amazon SES and after selecting your domain you will see MAIL FROM Domain section. You have to setup that. That will actually change your Return-Path, after that it will be aligned and will start passing.

architjn
  • 1,397
  • 2
  • 13
  • 30
  • despite the fact that our domain is verified has DKIM verified has a MAIL FROM domain set to a subdomain of our domain and the status is verified we still get daily reports from various providers like google, yahoo and others that claim that we do not pass the spf policy. – Fabianus Nov 21 '20 at 18:10
  • @Fabianus that could be a case of forwarding. In forwarding, DKIM remains the same and SPF starts to fail. So if you want a solution on that share that exact report I can help you with that also. – architjn Dec 21 '20 at 06:54
0

Finally I understood:

As @synchro pointed out, this documentation is the right direction.

I already met all this but what I did not know is what Fabi points out here :

Not only you have to set the MAilFrom settings at the domain level, but also for each E-Mail address managed by AWS in SES. Something you wouldn't expect, but that's how it goes.

Fabianus
  • 633
  • 7
  • 16
  • This is done so that AWS can track for bounce/compliant etc by changing mailfrom/return path addresses, for dmarc, using SES, you need to make sure that the aspf is set to relaxed because you can't have customer mailfrom exact as your domain in ses. – James Dean Dec 16 '20 at 04:08