I've received my first (ever!) DMARC forensic report, and I'm not sure if it implies I should be setting something differently, or if this is desired behavior, or if it's undesired but there's nothing to be done.
The actual report says
Feedback-Type: auth-failure
User-Agent: szn-mime/2.0.46
Version: 1
Original-Mail-From: [email protected]
Original-Rcpt-To: [email protected]
Source-Ip: 2a00:1450:4864:20::348
Reported-Domain: cwrichardson.com
Authentication-Results: email.seznam.cz 1;
spf_align=fail;
dkim_align=pass
Delivery-Result: delivered
Looking at the returned headers, I guess there's some internal forwarding/aliasing happening between where I sent the email (@skolaseiferta.cz) and the recipient's actual email address (@seznam.cz). There's a bunch of stuff in the middle from Google where it looks like everything (SPF, DKIM, DMARC) is passing. I have vague recollections that I've read somewhere that sometimes Google forwards without updating the headers and this causes problems. Maybe that's what's happening here, but my core question is, is this failure (SPF alignment; but message delivered) an indication that I have something configured wrong, and if so, what should I change?
Here's the final header as reported back in the forensic report:
Received: from mail-wm1-x348.google.com (mail-wm1-x348.google.com [2a00:1450:4864:20::348])
by email-smtpd17.ko.seznam.cz (Seznam SMTPD 1.3.125) with ESMTP;
Wed, 21 Apr 2021 21:28:04 +0200 (CEST)
Received: by mail-wm1-x348.google.com with SMTP id j128-20020a1c55860000b02901384b712094so754950wmb.2
for <[email protected]>; Wed, 21 Apr 2021 12:28:04 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:dkim-filter:dkim-signature:from:message-id
:mime-version:subject:date:in-reply-to:cc:to:references:delivered-to;
bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
b=OmOkt9uiFimeL2nbIAnz89lXQh6/L47XxRfQcpkktf1KCjK1csYPs/I5UxzzgBxXDL
QbkfBy3W6l6txQfM+E821xvBU63wXirBdbN8Gxo3Ldw6dQvZ+6uzatuCkEeFVHL6KO6H
E1O27CVqbz6bhqvaDKEgZRItL6bSAO3OhprafiZk6Yhqr170cAKArDzfTyFgvXX4FGfI
MFr/1BqM3VQnEyPRBRTiF5i4h1ZxRhnSUvcDH900v+7RN4AZ7+XLAcWjGfHBmWWHea6J
GV14l7zl22LLRRGIhSaxP+L8qzSG6GM+NRFRJIA8OEfTHkpTXTI1q1aMzLRWIefkMFK/
C9iQ==
X-Gm-Message-State: AOAM531OlI1F9zTh1HsZoHNZWRw2CRCcaLXZmaWuT10mdobzsf1XdbXR
jVsZvqhPh/16vPkDdJdHwZdNzDTJ7CYTnntl2W3Ylv1iWfO45ExY/3J5H2S8LMTc9m/Vg1HzH9N
unIJoFt2ngq8JpN5PRnXe3TbNIRVN5ypsMMYp9rWdDmXRlI/X3Q==
X-Received: by 2002:a5d:47c1:: with SMTP id o1mr27285827wrc.216.1619033282566;
Wed, 21 Apr 2021 12:28:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxghHJgfoFCadI4rf70xN3TaKsadvCo5viffMf7GjVOMzjZImFo2jdnWEOn8V+OIxc8YVlx
X-Received: by 2002:a5d:47c1:: with SMTP id o1mr27285733wrc.216.1619033281236;
Wed, 21 Apr 2021 12:28:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1619033281; cv=none;
d=google.com; s=arc-20160816;
b=i9HgJPQWyJQaj9eHYTRTLX30VfCcgk3coymQyyGzs3jKpMtoTGTSkTJoakmG4kpamB
HBf9tf6FdxKZK1EPYUhu2HoIB99JSwU5/hm7+LjM9izktRYp12apYf37Q1XqUqWXXJkx
iUUEVpjE33D6TmhklEOw6HZaSK+GI+AYESoUkIWuqJLG95+5gt2Ckq21Xs3zGw57m5vE
pkusUkEKxR/8UOrFag6U4OLMr6ydy/oUNtQhUiAr2imI2qYUbMCoGpwDiIm4NI6n7Wtx
WSTvKGZymXugiv51qBlmtL0u5U3dNTVTtJSKr2Vo4oDIQBIZaw1hm2oudeLPOvmdwSP0
YfGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=references:to:cc:in-reply-to:date:subject:mime-version:message-id
:from:dkim-signature:dkim-filter;
bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
b=R3Rk9Xazyo8BwHtxFEETi3RxVnAMqd8aFzNgQYVSQ7eTSEFbkxquX3YWP5blsnu7el
GinyOV6vxvBuRJpZOgx+7+zgT4os0xGP7naNBG8kyMBuFjvTTvt/g592KmZj0RurQezb
lspa6TLQ+x1wpysKvlg7Dy0VKFhfAkww8vXDNNbaJuC/YlBFNGab+x2B2FLtrITIxR6B
OyOpCsX2MvbXtuRikXRgzkvm5DWVqyt6XFH/a3kw9PvbzR23eEmX/OMZe/g+W9ZW8O7D
/hbimfG2OjKsOAFOCX1yeUUlV0M2hdphi3yI3zSOgoqpTgQfieaHCm9LtkuYAmBBoFH7
nuDw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=default header.b=rKVHfdcx;
spf=pass (google.com: domain of [email protected] designates 54.93.189.174 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cwrichardson.com
Return-Path: <[email protected]>
Received: from mercury.mirovoysales.com (mercury.mirovoysales.com. [54.93.189.174])
by mx.google.com with ESMTP id r5si462898wrl.256.2021.04.21.12.28.00;
Wed, 21 Apr 2021 12:28:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 54.93.189.174 as permitted sender) client-ip=54.93.189.174;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=default header.b=rKVHfdcx;
spf=pass (google.com: domain of [email protected] designates 54.93.189.174 as permitted sender) [email protected];
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=cwrichardson.com
Received: from localhost (unknown [127.0.0.1])
by mercury.mirovoysales.com (Postfix) with ESMTP id EF3C88004B;
Wed, 21 Apr 2021 19:27:59 +0000 (UTC)
X-Virus-Scanned: amavisd-new at example.com
Received: from mercury.mirovoysales.com ([127.0.0.1])
by localhost (ip-10-0-200-85.eu-central-1.compute.internal [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wQKPlvH_4S8m; Wed, 21 Apr 2021 19:27:57 +0000 (UTC)
Received: from [192.168.1.2] (213.121.broadband6.iol.cz [88.101.121.213])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mercury.mirovoysales.com (Postfix) with ESMTPSA id 3A67080037;
Wed, 21 Apr 2021 19:27:57 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mercury.mirovoysales.com 3A67080037
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cwrichardson.com;
s=default; t=1619033277;
bh=z9XlWb3jRfloYwjMKz59BkGnJPKn5q9UeC0Yjl3uFpU=;
h=From:Subject:Date:In-Reply-To:Cc:To:References:From;
b=rKVHfdcxSd1ZhsD1G1X5jvil3lpme2V8tNU+3D0PgdBklG/uYMEdRFVOjr6vqkp9y
GhZa5D1MVyG1Zd/OZ8v7OZ6x2YZsObnWz92Q5B+X1H5lvbD7/1K9AuNAVmMMmWdlMl
EY7thbBBQyT1f7j4TvHJTwuJx2JZszR1BjlGoEiY=
From: Christopher Richardson <[email protected]>
Message-Id: <[email protected]>
Content-Type: multipart/alternative;
boundary="Apple-Mail=_4FC50147-75FE-4FDF-B8EC-F651F9EF7F63"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Subject: =?utf-8?B?UmU6IMWha29sYSB2IHDFmcOtcm9kxJs=?=
Date: Wed, 21 Apr 2021 21:27:56 +0200
In-Reply-To: <[email protected]>
Cc: Sarah Richardson <[email protected]>,
[email protected]
To: [email protected]
References: <CAOSANHi3e3EPsdvvBU5sh_r3T5h+m8+4Mmwsek=ZxHj3rmEaZQ@mail.gmail.com>
<[email protected]>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Delivered-To: [email protected]: Wed, 21 Apr 2021 21:28:10 +0200 (CEST)
Reporting-MTA: dns; email.seznam.cz
Final-Recipient: rfc822; [email protected]
Status: 2.0.0
Diagnostic-Code: x-uknown;
Action: x-unknown
Original-Recipient: rfc822; [email protected]
To achieve DMARC compliance, either SPF or DKIM must be aligned.
So I do not understand why you did get this forensic report - as far as I understand the DMARC system, this message is comliant, since DKIM passed the alignment testAs far as I see, the message is DMARC compliant - normally you would not get a forensic report, but there is a setting that requests reports even if any of the mechanisms fail (thanks @anx for this information - was new to me!). This report also tells you in the last line that the message was delivered - so no rejection or quarantining here.Forwarding is a known problem of DMARC, because sender addresses in the header could missmatch. Normaly if a mail gateway detects a mail that is not DMARC compliant and "looks forwarded" due to specific hints in the header, the gateway could let this mail through - even if SPF and DKIM are failing - see DMARC Policy Overrides.