Policy says quarantine but report says its not because it's forwarded

mrp · September 26, 2019, 11:53am

I haven’t looked into what should happen to a message that is forwarded but I find this quite an interesting entry in a recent aggregation report. Why should this email (and I obviously have no idea what it is) be handled this way? The IP is an MX of synapse.ne.jp which has a neutral SPF policy (if that matters).

<record>
<row>
  <source_ip>202.208.174.114</source_ip>
  <count>1</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>fail</dkim>
    <spf>fail</spf>
    <reason>
      <type>forwarded</type>
      <comment>looks forwarded, not quarantined for DMARC</comment>
    </reason>
  </policy_evaluated>
</row>
<identifiers>
  <header_from>mrp.net</header_from>
</identifiers>
<auth_results>
  <spf>
    <domain>mrp.net</domain>
    <result>fail</result>
  </spf>
</auth_results>
</record>

smirza · September 26, 2019, 12:43pm

So the message is definitely being forwarded by synapse.ne.jp. Forwarding of messages break authentication mechanism being used. Also in some case, the forwarding system could be overriding your DMARC policy (which could possibly be the case here).

If I may ask, what receiving domain sent you this report?

mrp · September 26, 2019, 12:55pm

It’s from google.com.