I have attached a DMARC report for my domain (this one sent from google). It correctly shows only mail sent from my mta (amazon ses) as passing the DMARC compliance. And the DKIM portion also shows only mail from my MTA as passing. Great.
However, this report shows a few hosts passing SPF authentication, and most failing SPF authentication. Why/how is this possible? I don't even have SPF records set in my DNS? Am I misinterpreting what this report means? Can someone explain what is happening?
It's important to understand which addresses the various authentication mechanisms are checked against. An email message has at minimum two from addresses--the envelope from (RFC 5321) and the header from (RFC 5322.) SPF is checked against the envelope from address while DMARC is checked against the header from. If we use some examples:
ENV From: whatever@yourdomain.com
HEADER From: whatever@yourdomain.com
Your lack of an SPF record is an automatic pass, and the domains are the same so DMARC SPF alignment will pass.
ENV From: whatever@differentdomain.com
HEADER From: whatever@yourdomain.com
SPF is checked against differentdomain.com and may or may not pass depending on their rules, and DMARC is checked against your domain but SPF alignment will fail because the domains are different.
DMARC requires that SPF alignment OR DKIM alignment passes. For SPF alignment to pass the ENV From domain but be the same as the header from domain and SPF must pass. For DKIM alignment to pass the domain specified in DKIM's d= attribute must match the domain in the header from and the DKIM signature must be valid.
If your address is in the header you get the DMARC reports but if it wasn't your domain in the envelope you may see SPF results for whatever domain was. In either case if it was correctly DKIM signed it will still pass DMARC because remember, only one or the other alignment check needs to pass.
An example from your DMARC report:
Host 216.207.245.17 (reverse lookup tells us lists.digium.com) sends 147 emails on behalf of your email domain. These emails PASS an SPF check, but, since the domain used for the SPF check does not align with your email domain, it fails in regards to DMARC.
Especially email forwarders / mailing lists behave this way. Before distributing the email to the members of the list, the bounce address (aka smtp.mailfrom / return-path / envelope from address) is re-written, so that Non-Delivery Reports (NDRs) are sent back to the mailing list provider and not to the original sender.
While the FROM address is shown to the recipient in the email client, the envelope from address is hidden, but IS used to check the SPF on. This is why DMARC is so important to protect against phishing, because SPF (or DKIM) alone does not authenticate the FROM address the recipient sees.
The way mailing lists typically behave will fail DMARC authentication on SPF check, because the alignment between envelope from domain and FROM domain is removed. Also, sometimes DKIM signed fields such as subject are edited, which breaks the original DKIM signature.
This is exactly why ARC (Authenticated Received Chain) is being created, as an extension to DMARC. Unfortunately, ARC is still in Draft stage.
So if we look back at our example, the mailing list provider re-writes the envelope from address to something@lists.digium.com and the receiving mail server checks the domain lists.digium.com for an SPF record, which it finds: "v=spf1 a mx ip4:216.207.245.0/26 ~all\". SPF passes (216.207.245.17 is part of range 216.207.245.0/26), DMARC fails. Depending on your DMARC policy action and receiving server configuration, the email may be marked as SPAM, quarantined, rejected or delivered to the Inbox.
