Forum Discussion
Outbound emails failing to Gmail
I'm having an issue with outbound emails failing to Google accounts. SPF, DKIM, and DMARC are all setup corectly for the domain.
The DMARC report shows the source IP as a valid Exchange Online IP.
The DMARC report shows the SPF both failing and passing which is confusing me.
I'd really appreciate any guidance on how to correctly update the DNS records or if I would need to try get in touch with Google.
Relevant screenshot below as well as the text of the DMARC report here:
<date_range>
<begin>1679184000</begin>
<end>1679270399</end>
</date_range>
</report_metadata>
<policy_published>
<domain>halyard.eu.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>2a01:111:f400:fe0c::312</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>xxxcom</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>xxxx.com</domain>
<result>pass</result>
<selector>selector2</selector>
</dkim>
<spf>
<domain>xxxx.outbound.protection.outlook.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
- The SPF pass is for authentication (it's in the auth_results section); the SPF fail is for alignment (same goes for DKIM). This means the domain used at From doesn't match the one presented in Return-Path. In default (SPF alignment is relaxed, not strict). this should result in a pass verdict for the message, but the alignment will of course still be fail.
Feed your DMARC report here to have a more readable output
https://dmarcian.com/xml-to-human-converter/
3 Replies
After a hacking experience, our O365 domain has been blocked by Google. We added the necessary DNS records (SPF, DKIM, and DMARC) weeks ago and we continue to be blocked. Emails are being delivered without fail to other recipients except Gmail accounts. I used the Google Postmaster Tools to run the Compliance Check, it reports SPF, DKIM, and DMARC failures, even though all three records exist and appear correctly configured in DNS. DKIM has been enabled in Microsoft 365 for several weeks. SPF and DMARC are valid.
Any thoughts or ideas on what to do next?
Thanks!
- The SPF pass is for authentication (it's in the auth_results section); the SPF fail is for alignment (same goes for DKIM). This means the domain used at From doesn't match the one presented in Return-Path. In default (SPF alignment is relaxed, not strict). this should result in a pass verdict for the message, but the alignment will of course still be fail.
Feed your DMARC report here to have a more readable output
https://dmarcian.com/xml-to-human-converter/- That now makes sense with the link provided. Thank you Michel.
