Google DMARC Support, DKIM and SPF fail

Celeste Gonzalez asked:

This morning I received my second email from noreply-dmarc-support and I really don’t understand why. I have tried looking it up and I have seen through forums here that it has to do with emails, but I haven’t sent anything. Would this mean someone tried filling out my form on my website and it didn’t go through? I am new to all of this and don’t know coding so when I was sent the code it meant a whole lot of nothing to me. It said

<dkim>fail</dkim>
<spf>fail</spf>

which i’m assuming is bad because it says fail. Can anyone tell me why I’m receiving this and how to fix this if it’s a problem please? This is the full email it sent:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>[email protected]</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>9553516014094530914</report_id>
    <date_range>
      <begin>1603756800</begin>
      <end>1603843199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>celestelili.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>quarantine</p>
    <sp>quarantine</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>72.167.234.241</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>celestelili.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>p3nlwpweb453.prod.phx3.secureserver.net</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>
</feedback>

My answer:


Yes, this is a problem. It shows that some of your legitimate email is being rejected as spam.

Let us take a quick look at how your domain’s mail is configured in the DNS.

$ host celestelili.com
celestelili.com has address 72.167.241.46
celestelili.com mail is handled by 0 celestelili-com.mail.protection.outlook.com.

We see here that you have a server (presumably a web server) at 72.167.241.46, and that your domain’s mail is handled by Office 365.

But now let us look at your SPF record.

$ host -t txt celestelili.com
celestelili.com descriptive text "v=spf1 include:spf.protection.outlook.com -all"
# (other TXT records omitted)

Your SPF record says that the only legitimate mail from your domain will be sent by Office 365.

Now let’s look at the DMARC report you got. The interesting bit is the single record:

  <record>
    <row>
      <source_ip>72.167.234.241</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>quarantine</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>celestelili.com</header_from>
    </identifiers>
    <auth_results>
      <spf>
        <domain>p3nlwpweb453.prod.phx3.secureserver.net</domain>
        <result>none</result>
      </spf>
    </auth_results>
  </record>

This record shows that Google received some email that was from GoDaddy’s SMTP servers, presumably sent from your web site, but it was sent directly from GoDaddy’s server, not from Office 365.

As you recall, the SPF record says that only Office 365 can send mail for your domain. Not your web server or any other server. This is why it gets marked as spam, and why you received this DMARC report.


Presumably your own web site should be allowed to send email for your domain. So you can fix the problem by adding GoDaddy’s SPF record include to your SPF record.

So, your old SPF record is:

v=spf1 include:spf.protection.outlook.com -all

And it should change to:

v=spf1 include:secureserver.net include:spf.protection.outlook.com -all

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.