Is my DMARC report saying legitmate emails are failing or illegitimate emails are passing?
I am learning how to improve email deliverability. Along the way, I'm learning about DMARC reports, SPF and DKIM. I have a friend with a small business who said I can practice with this email service which is hosted with Google Workspace. For now, let's say his domain is friendbusiness.com
.
For friendbusiness.com
, I believe I've set up DMARC, SPF and DKIM properly. This is my dmarc dns record:
v=DMARC1;p=quarantine;sp=quarantine;pct=100;rua=mailto:support@friendbusiness.com;ruf=mailto:support@friendbusiness.com;ri=86400;aspf=r;adkim=r;fo=1
This is my SPF
v=spf1 include:_spf.google.com ~all
And I just followed the Google guide for DKIM.
My friend says he hasn't had any email issues yet. He sends about 20 to 30 emails each day to various customers.
However, I still get about 10 DMARC reports per day from various email servers each day. My guess is that because I set fo=1
, then I am only getting reports on failed emails. Is that correct?
If so, I need help understanding why I got this dmarc document in my email:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>1186180657861218641</report_id>
<date_range>
<begin>1701648000</begin>
<end>1701734399</end>
</date_range>
</report_metadata>
<policy_published>
<domain>friendbusiness.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>quarantine</p>
<sp>quarantine</sp>
<pct>100</pct>
<np>quarantine</np>
</policy_published>
<record>
<row>
<source_ip>209.85.220.41</source_ip>
<count>182</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>friendbusiness.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>friendbusiness.com</domain>
<result>pass</result>
<selector>google</selector>
</dkim>
<spf>
<domain>friendbusiness.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>209.85.220.69</source_ip>
<count>21</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>friendbusiness.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>friendbusiness.com</domain>
<result>pass</result>
<selector>google</selector>
</dkim>
<spf>
<domain>friendbusiness.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>209.85.220.69</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>friendbusiness.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>friendbusiness.com</domain>
<result>pass</result>
<selector>google</selector>
</dkim>
<spf>
<domain>listserv.bounces.google.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Specifically, these are my questions:
In the first
<record>
, I see the<source_ip>
of209.85.220.41
. The209.85.220.41
is the IP address of the Google server that I intend to send emails from. Anyone who has recieved emails from@friendbusiness.com
properly shows this IP address in the SPF check and authorized sender details in the raw email message. So my question here is how do I begin investigating why 182 emails (as shown by the<count>
failed given that DMARC says everythingpass
?In the second
<record>
, I see the<source_ip>
of209.85.220.69
. I don't expect to send emails from this address and yet we have apass
on everything. I see that209.85.220.69
belongs to google. I've heard some people say sometimes you might see the ip address of the server doing email forwarding after SPF and DKIM have passed, and that this might not be a cause for concern. My question is, how do I begin my investigation to determine if209.85.220.69
is a legitimate sender and determine why 21 messages failed?In the third
<record>
, I see the<source_ip>
of209.85.220.69
again. Why does<policy_evaluated><spf>
showfail
despite the<auth_results><dkim>
and<auth_results><spf>
showingpass
?