I have a DMARC policy set for a domain like so, to combat email spoofing:
v=DMARC1;p=quarantine;rua=mailto:[email protected];pct=100;ruf=mailto:[email protected];fo=0:d:s;aspf=r;adkim=r;
Today I received a report that an email was rejected with the following message:
This is an email abuse report for an email message received from IP 209.85.128.47 on Wed, 13 May 2020 11:49:50 +0200.
The message below did not meet the sending domain's DMARC policy.
From what I understand, an email should only be rejected if it does not meet both the SPF-policy and the DKIM-policy. In fact, I should only receive failure reports if both policies do not match via fo=0:d:s. The SPF-policy of this domain is:
v=spf1 a mx include:_spf.google.com include:amazonses.com ip4:12.34.56.78 include:servers.mcsv.net -all
When I lookup the SPF-record of _spf.google.com, it shows me:
v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all
When I then lookup _netblocks.google.com, it shows me:
v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all
The ip that was rejected was 209.85.128.47, but it seems to be included in 209.85.128.0/17. Do I incorrectly understand DMARC policies, am I overlooking something, or did the receiving host do something odd?
