1

I am learning how to improve email deliverability. Along the way, I'm learning about DMARC reports, SPF and DKIM. I have a friend with a small business who said I can practice with this email service which is hosted with Google Workspace. For now, let's say his domain is friendbusiness.com.

For friendbusiness.com, I believe I've set up DMARC, SPF and DKIM properly. This is my dmarc dns record:

v=DMARC1;p=quarantine;sp=quarantine;pct=100;rua=mailto:[email protected];ruf=mailto:[email protected];ri=86400;aspf=r;adkim=r;fo=1

This is my SPF

v=spf1 include:_spf.google.com ~all

And I just followed the Google guide for DKIM.

My friend says he hasn't had any email issues yet. He sends about 20 to 30 emails each day to various customers.

However, I still get about 10 DMARC reports per day from various email servers each day. My guess is that because I set fo=1, then I am only getting reports on failed emails. Is that correct?

If so, I need help understanding why I got this dmarc document in my email:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>1186180657861218641</report_id>
    <date_range>
      <begin>1701648000</begin>
      <end>1701734399</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>friendbusiness.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
    <np>quarantine</np>
  </policy_published>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>182</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>friendbusiness.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>friendbusiness.com</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
      <spf>
        <domain>friendbusiness.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>209.85.220.69</source_ip>
      <count>21</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>friendbusiness.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>friendbusiness.com</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
      <spf>
        <domain>friendbusiness.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>209.85.220.69</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>friendbusiness.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>friendbusiness.com</domain>
        <result>pass</result>
        <selector>google</selector>
      </dkim>
      <spf>
        <domain>listserv.bounces.google.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

Specifically, these are my questions:

  • In the first <record>, I see the <source_ip> of 209.85.220.41. The 209.85.220.41 is the IP address of the Google server that I intend to send emails from. Anyone who has recieved emails from @friendbusiness.com properly shows this IP address in the SPF check and authorized sender details in the raw email message. So my question here is how do I begin investigating why 182 emails (as shown by the <count> failed given that DMARC says everything pass?

  • In the second <record>, I see the <source_ip> of 209.85.220.69. I don't expect to send emails from this address and yet we have a pass on everything. I see that 209.85.220.69 belongs to google. I've heard some people say sometimes you might see the ip address of the server doing email forwarding after SPF and DKIM have passed, and that this might not be a cause for concern. My question is, how do I begin my investigation to determine if 209.85.220.69 is a legitimate sender and determine why 21 messages failed?

  • In the third <record>, I see the <source_ip> of 209.85.220.69 again. Why does <policy_evaluated><spf> show fail despite the <auth_results><dkim> and <auth_results><spf> showing pass?

Improve this question
2
  • 1
    "My guess is that because I set fo=1, then I am only getting reports on failed emails. Is that correct?" - No. You don't only ask for failures (ruf) but ask for aggregate reports (rua), That's why you also get the reports where the DMARC policy showed no problem (disposition none). None of what you provide show actually any delivery failure.
    – Steffen Ullrich
    Commented Dec 8, 2023 at 19:23
  • 1
    I’m voting to close this question because it is based on a wrong interpretation of the DMARC report. This results in asking about the reason for failed deliveries, even though there are no failed deliveries.
    – Steffen Ullrich
    Commented Dec 9, 2023 at 19:06

0

Reset to default

Browse other questions tagged .