SPF failure with server hostname rather than domain name for authentication

I’m getting DMARC reports back with a mixture of SPF pass and failures. The fails list auth_results…domain as mail server hostname. The passes list auth_results…domain as my domain name. Do I need to add an “a” to my SPF or create a second SPF record for just the hostname of my mail server? They’re on the same domain as of now. Then will be later migrating to cloud hosted spam filter.

Add DKIM signing to your mail - relying on just SPF will cause problems with mail that could be forwarded from one mailbox to another. In most cases DKIM will survive the forward, or ARC will be applied by the original network.

Understood, thanks! Hope to get DKIM rolling soon

Found what I was looking for in the reasoning behind the mail server hostname being present: During SPF check it may use the reply from the HELO/EHLO command…

SPF Alignment

The SPF (spfv1) mechanism authenticates domain identifiers delivered from:

  • MAIL FROM identity (MAIL FROM command)
  • HELO/EHLO identity (HELO/EHLO command)

The MAIL FROM domain identity tries to be authenticated by default. The HELO domain identity is authenticated by DMARC only for messages with an empty MAIL FROM identity, like bounce messages.

A common example of this would be where a message is sent with a different MAIL FROM address (noreply@blog.cisco.com) compared to what’s in the From header (noreply@cisco.com). The MAIL FROM domain identity part of noreply @blog.cisco.com will align with the From header domain of noreply @cisco.com in relaxed mode but not in strict mode.