0

I recently noticed a discrepancy between Gmail's DMARC/DKIM/SPF results for messages sent via my mailserver as represented in the mail headers –

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@domain.com header.s=s42 header.b=TWJ2lYx3;
       spf=pass (google.com: domain of user@domain.com designates 000.000.000.000 as permitted sender) smtp.mailfrom=user@domain.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=domain.com
Return-Path: <user@domain.com>
Received: from mail.domain.com (mail.domain.com. [000.000.000.000])
        by mx.google.com with ESMTPS id v16-20020a5d6110000000b00314105346a6si1394751wrt.420.2023.07.06.12.09.26
        for <mygmailaccount@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 06 Jul 2023 12:09:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of user@domain.com designates 000.000.000.000 as permitted sender) client-ip=000.000.000.000;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@domain.com header.s=s42 header.b=TWJ2lYx3;
       spf=pass (google.com: domain of user@domain.com designates 000.000.000.000 as permitted sender) smtp.mailfrom=user@domain.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=domain.com

– and Google's DMARC report, which contains a fail result for the same messages:

<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>1502902575606731331</report_id>
    <date_range>
      <begin>1688515200</begin>
      <end>1688601599</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>domain.com</domain>
    <adkim>s</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>75</pct>
    <np>quarantine</np>
  </policy_published>
  <record>
    <row>
      <source_ip>000.000.000.000</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mail.domain.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>mail.domain.com</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

A couple of months ago, Google's reports listed pass results (and Microsoft's reports still do).

I found a similar question, but the response pointing to misaligned domains does not apply here, as the domains are properly aligned for my relaxed DMARC policy (s. snippets above with domain.com and mail.doman.com as placeholders for my actual domains). What's more, the DMARC result is different in the message header and the report, too.

janeden
  • 381
  • 3
  • 11
  • The report and headers don't belong together. Too many differences. – EddieDemon Aug 03 '23 at 11:42
  • I modified some data for privacy purposes, but the pattern is consistent: Headers show PASS results, DMARC reports contain FAIL results. – janeden Aug 15 '23 at 11:10
  • Check this: https://security.stackexchange.com/a/210298 – EddieDemon Aug 17 '23 at 13:02
  • My problem is not that SPF, DKIM or DMARC tests fail – they succeed (according to the Gmail raw view)! But Google's own DMARC reports disagree and list failures for all tests. – janeden Aug 24 '23 at 16:19

0 Answers0