DMARC Email SPF policy_evaluated & auth_result have inconsistent status

This appears to be due to DMARC domain alignment issues. As indicated by the report, the domain for the SPF authentication result was "eu-west-1.amazonses.com", which is non-aligned with the header_from of "mydomain.com". Why DMARC is SPF evaluating with the amazonses.com domain, I don't know. I have the same issue and have not figure out how to resolve it. From the DMARC draft:

   Example 3.  This record indicates a single message matching this set
   of data points.  The DMARC disposition for this message was "reject"
   based on DMARC aligned results for SPF and DKIM of "fail" and the
   domain's reject policy.  There was no DKIM signature on this message,
   as in Example 1.  The SPF authentication result was "pass" with a
   MAILFROM domain of "classifiedads.com".  The SPF domain is not
   aligned with the header From domain, causing the DMARC aligned SPF
   result to be "fail".

   <record>
      <row>
         <source_ip>65.61.105.5</source_ip>
         <count>1</count>
         <policy_evaluated>
            <disposition>reject</disposition>
            <dkim>fail</dkim>
            <spf>fail</spf>
            </policy_evaluated>
         </row>
      <identifiers>
         <header_from>facebook.com</header_from>
         </identifiers>
      <auth_results>
         <dkim>
            <domain></domain>
            <result>none</result>
            </dkim>
         <spf>
            <domain>classifiedads.com</domain>
            <result>pass</result>
            </spf>
         </auth_results>
      </record>

This is not likely to be the cause of your messages being flagged as phishing/spam. Your <policy_evaluated> elements show that you are passing DKIM and thus you are passing DMARC as a whole.

the SPF entry for policy_evaluated has a fail status, however the auth_results list spf as being pass. What can explain the incoherent statuses ?

The auth_results do not take identifier alignment into account while the overall DMARC evaluation does, which is why the auth_results for SPF can be pass and the overall SPF results can be fail.

Why is SPF evaluated against the amazonses.com domain rather than yours though? Unlike DKIM, SPF is not validating the domain name in a From header (which would be your domain). It validates the IP address of the SMTP sender. In this case that is an amazon IP address, which correctly passes SPF.

References:

https://tools.ietf.org/html/rfc7489

http://sesblog.amazon.com/post/Tx3IREZBQXXL8O8/SPF-and-Amazon-SES

Tags:

Email

Spam Prevention

Recent Posts