DMARC: SPF Fail, DKIM Pass, Source IP: not mine!

Sorry, forgot to post the resolution to this!

So it was a forwarding thing as suspected but my SPF rules in DNS were overly strict and didn't allow for forwarding - hence SPF failed. Changing from -all to ~all sorted it.

Two things to consider:

  1. Email forwarding happens on the internet. This could be a case of someone running their own server but then forwarding all email to Yahoo (eventually landing in an mailbox). People do this all the time 'cause they like the UI of the final destination better or its just easier to manage.

  2. DKIM can survive forwarding if the content of the message remains intact. It is not unusual to see DKIM-passing messages flowing out of weird places on the internet before being reported by DMARC.

In your example, the presence of a DKIM-passing signature from an unknown IP source is a very strong signal that this row of data represents forwarded email.