Should I be concerned of a record from a Google MX that passes DKIM and fails SPF?

Another curious entry in a recent aggregate report from Google where it reports of a couple of different Google IPv6 addresses where the DKIM passes but the SPF fails since that address is correctly not listed by my SPF report. Can anyone explain this behaviour?

<record>
<row>
  <source_ip>2a00:1450:4864:20::346</source_ip>
  <count>1</count>
  <policy_evaluated>
    <disposition>none</disposition>
    <dkim>pass</dkim>
    <spf>fail</spf>
  </policy_evaluated>
</row>
<identifiers>
  <header_from>mrp.net</header_from>
</identifiers>
<auth_results>
  <dkim>
    <domain>mrp.net</domain>
    <result>pass</result>
    <selector>20190920</selector>
  </dkim>
  <spf>
    <domain>mrp.net</domain>
    <result>fail</result>
  </spf>
</auth_results>
</record>

I’ve seen a few of these have to do with Google Calendar or those are bounced messages. It shouldn’t be a cause from concern because as long as one of authentication mechanism pass, it’ll be a pass for DMARC.

Could be bounced messages in that case as there are a couple of domains that are sent DMARC reports that are using Google Mail but are over quota.

Just got my first forensic report for a failure and it failed DMARC as it was email sent through a Mailman mailing list. makes setting a DMARC policy of reject seem like a very dangerous thing to do.

Yes, but what Mailman needs to do is implement something called ARC (Authenticated Received Chain). That will protection authentication mechanism on emails (SPF, DKIM and DMARC) and prevent such issues.

I have no idea if the new Mailman 3 will do that but even if it does it will take a long time to migrate sites from v2 to v3 (and it currently isn’t an easy process so I doubt anyone would be in any hurry to do it).

Sorry, forgot that Mailman is actually software and not a mailing list organization. So it’s the owner of the mailing list system that will need to implement ARC along with Mailman. OpenARC is a free tool can be used to do this (GitHub - trusteddomainproject/OpenARC: Open source ARC implementation). There other tools as well listed at arc-spec.org

All those mailing list managers are only going to do it if it’s easy. I’ve had enough issues just with a hard fail spf policy.

This also looks like it could be a message that was forwarded from one address to another by an individual ultimately ending up in their Gmail account. DKIM is designed to survive this pending the message isn’t altered and SPF is expected to fail.

ARC is one option to fixing forwarded mail, but not everyone supports it yet (outside the big hosting providers). List managers (i.e. Mailnan should rewrite the headers to sign the mail as the list).

Normally Google Calendar email is fully DMARC compliant.
But if you update a meeting the “update” emails are using a google owned domain in the returnpath.

1 Like