Hi Thomas, It's not immediately clear from your edits whether the results that you are showing are from the same <row> of the DMARC report; my guess is that they're not. Assuming that my guess is correct: it's worth bearing in mind that a DMARC aggregate report is just that: a report aggregating information about all of the email messages that the Receiver has seen purporting to be from your organisation during the report period (almost always 24 hours). To keep things at a reasonable size, the report groups message reports that have identical dispositions etc. into a single <row> with a <count>, instead of providing a row per message. When interpreting the report, it is important to view each <row> as though it were a completely separate report from the same Receiver.
The other thing that occasionally creates confusion is the difference between: - the authentication results (whether a particular authentication evaluation returned true or false at the SPF/DKIM level), and - the effective authentication result when evaluating policy (a pass for an unrelated domain will be treated as a fail for DMARC evaluation purposes; similarly parent vs. child domains if you're using different policies for sub-domains). - Roland ---------- From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Thomas Krichel via dmarc-discuss <dmarc-discuss@dmarc.org> Sent: Tuesday, 5 July 2016 15:41 To: DMARC-discuss Subject: [dmarc-discuss] exegesis: pass and fail together Hi gang, I am new to DMARC. Google have sent me a report that I attach. I am puzzled by what I am reading. About DKIM <dkim> <domain>openlib.org</domain> <result>pass</result> </dkim> <dkim> <domain>openlib.org</domain> <result>fail</result> </dkim> How can it fail and pass at the same time? Then about SPF <record> <row> <source_ip>2a01:4f8:190:62e8::68</source_ip> <count>7</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <header_from>openlib.org</header_from> </identifiers> <auth_results> ... <spf> <domain>lists.openlib.org</domain> <result>pass</result> </spf> </auth_results> </record> How can it say that the SPF fails in the policy evaluated, but later say it passes. Could this be me posting to a mailing list, with the from: saying kric...@openlib.org, but forwarded by lists.openlib.org? 2a01:4f8:190:62e8::68 is SPF authorized to send mail for both lists.openlib.org and openlib.org, so this would still be puzzling. -- Cheers, Thomas Krichel http://openlib.org/home/krichel skype:thomaskrichel _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)