DMARC says SPF fail even with SPF record
I have the following SPF record under the pixelark.com domain:
v=spf1 ip4:70.164.0.71 include:amazonses.com include:_spf.google.com ~all
The ip4 address is the webserver, the amazonses.com is used for Amazon SES. It is the amazon SES that is giving me the issue.
This is one of many example DMARC results I get when sending email through amazon SES.
<record>
<row>
<source_ip>204.197.248.33</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>pixelark.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>pixelark.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>amazonses.com</domain>
<result>fail</result>
</spf>
</auth_results>
</record>
I am sending an email from [email protected] through Amazon SES. I have amazonses.com as a valid sender in the SPF record but the DMARC is showing an SPF fail.
I cannot figure out why this is happening? I have not been able to figure this one out. Any help would be greatly appreciated.
Answer
From first glance this could be related to DMARC requiring your Mail From (return-path) and From address domains to match. When you use an Email Service Provider they will usually have their own email address to capture bounces, which causes DMARC to fail with SPF.
We built a free labs project to track DMARC results. It might help you discover more sources. You can see it at http://dmarc.postmarkapp.com.