SOLVED

Outbound emails failing to Gmail

Copper Contributor

I'm having an issue with outbound emails failing to Google accounts. SPF, DKIM, and DMARC are all setup corectly for the domain.

The DMARC report shows the source IP as a valid Exchange Online IP.

The DMARC report shows the SPF both failing and passing which is confusing me.

 

I'd really appreciate any guidance on how to correctly update the DNS records or if I would need to try get in touch with Google.

 

Relevant screenshot below as well as the text of the DMARC report here:

 

<date_range>
<begin>1679184000</begin>
<end>1679270399</end>
</date_range>
</report_metadata>
<policy_published>
<domain>halyard.eu.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>2a01:111:f400:fe0c::312</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>xxxcom</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>xxxx.com</domain>
<result>pass</result>
<selector>selector2</selector>
</dkim>
<spf>
<domain>xxxx.outbound.protection.outlook.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>

2 Replies
best response confirmed by Patrick660 (Copper Contributor)
Solution
The SPF pass is for authentication (it's in the auth_results section); the SPF fail is for alignment (same goes for DKIM). This means the domain used at From doesn't match the one presented in Return-Path. In default (SPF alignment is relaxed, not strict). this should result in a pass verdict for the message, but the alignment will of course still be fail.

Feed your DMARC report here to have a more readable output
https://dmarcian.com/xml-to-human-converter/
That now makes sense with the link provided. Thank you Michel.
1 best response

Accepted Solutions
best response confirmed by Patrick660 (Copper Contributor)
Solution
The SPF pass is for authentication (it's in the auth_results section); the SPF fail is for alignment (same goes for DKIM). This means the domain used at From doesn't match the one presented in Return-Path. In default (SPF alignment is relaxed, not strict). this should result in a pass verdict for the message, but the alignment will of course still be fail.

Feed your DMARC report here to have a more readable output
https://dmarcian.com/xml-to-human-converter/

View solution in original post