Some ( but not all ) of the emails from our service are flagged as phishing by gmail and spam by hotmail.
The emails being marked as phishing are sent from an application deployed on EC2 VMs which use amazon SES to do the actual sending. The application sends other emails which do not get flagged (we have 4 kind of emails sent by the app at the moment ).
We also have a user using an MS exchange account hosted on OVH sending emails from this domain which is why the spf records include an ovh entry.
We have configured the following records on the domain :
_amazonses.mydomain.com. 1799 IN TXT "JiAZ9E5gIc7VbPfMI4rYSBGZJeTe3lTF+eigtVUF1fg="
_amazonses.mydomain.com. 1799 IN TXT "vkSOtQqrtz2frIPg+6SeU7CmCenkTPjjvZdCQe/u0Qk="
_dmarc.mydomain.com. 299 IN TXT "v=DMARC1\;p=none\;rua=mailto:postmaster@mydomain.com"
2anucjune6cx5dfjwtpg5w7xi5bivkdi._domainkey.mydomain.com. 1799 IN CNAME 2anucjune6cx5dfjwtpg5w7xi5bivkdi.dkim.amazonses.com.
5m7pppm63mxlxz3w3al3juxlgwb4j67m._domainkey.mydomain.com. 1799 IN CNAME 5m7pppm63mxlxz3w3al3juxlgwb4j67m.dkim.amazonses.com.
7tpgaubzvve5ekkq3pyu7rhmrxhgif5f._domainkey.mydomain.com. 1799 IN CNAME 7tpgaubzvve5ekkq3pyu7rhmrxhgif5f.dkim.amazonses.com.
mydomain.com. 299 IN TXT "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"
mydomain.com. 299 IN SPF "v=spf1 a mx include:amazonses.com include:mx.ovh.com ~all"
Here are the DMARC reports we get from google :
<record>
<row>
<source_ip>54.240.6.219</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>eu-west-1.amazonses.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
and here is one from hotmail.com
<record>
<row>
<source_ip>54.240.6.212</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>eu-west-1.amazonses.com</domain>
<result>pass</result>
</spf>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
</dkim>
</auth_results>
As you can see the SPF entry for policy_evaluated has a fail status, however the auth_results list spf as being pass.
What can explain the incoherent statuses ?
Can this incoherence be the source of our mails being flagged as phishing/spam ?
Best Answer
This appears to be due to DMARC domain alignment issues. As indicated by the report, the domain for the SPF authentication result was "eu-west-1.amazonses.com", which is non-aligned with the header_from of "mydomain.com". Why DMARC is SPF evaluating with the amazonses.com domain, I don't know. I have the same issue and have not figure out how to resolve it. From the DMARC draft: