If i sent a mail from my website (on a private server) to [email protected], i have this report :
<record>
<row>
<source_ip>x.x.x.x</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>mydomain.com</domain>
<result>pass</result>
</spf>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
</auth_results>
</record>
The identifiers/header_from AND auth_results/spf/domain is both mydomain.com, my sender (and return path) is [email protected]
The SPF test alone is ok, but the dmarc (policy_evaluated/spf) fail, i don't understand why ...
My DNS record (SPF/DMARC):
"v=spf1 a mx include:mx.ovh.com -all"
"v=DMARC1\; p=reject\; sp=none\; rua=mailto:[email protected]\; rf=afrf\; pct=100\; ri=86400"
The reason for the DMARC fail on SPF policy (
<policy_evaluated><spf>fail
) despite the SPF check passing (<auth_results><spf><result>pass
) is that your SMTP "mailFrom" (envelope MAIL From or RFC 5321.MailFrom) & your header "From" fields are out of alignment. I can't be sure from the extract you posted, but it's the likely answer.e.g. if your mail system sets the
envelope MAIL From
to<[email protected]>
, but yourheader From
says the reply address is<[email protected]>
the domains are out of alignment & the DMARC evaluation of SPF will fail, even though you have includedmail.provider.tld
in your SPF record.These articles may help:
As Henry said, you only require one of the two tests (SPF or DKIM) to be in alignment for DMARC to pass.
I don't know much about that testing location, I use
[email protected]
as my main go to email tester. That aside, DMARC can fail, if your SPF is not aligned this is called the ASPF test. DMARC requires SPF, DKIM or Both. Since you have SPF working, the only thing that comes to mind will be that possibly your ASPF Test is failing, or the tester has a possible bug. I did test my email with that test and it did indicate that I passed DMARC.