Understanding DMARC reports

[jeanas]

This question is probably silly, sorry for that. Obviously, I'm not familiar with the inner workings of email.

I have set up a Stalwart mail server (on the domain mx.lilypond.community). Every day, an email from noreply-dmarc-support@google.com is received by dmarc-reports@lilypond.community, the address configured for DMARC reports in the domain's DNS records. So far, so good.

But here is today's report. Others are similar.

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>14074417155532221430</report_id>
    <date_range>
      <begin>1693958400</begin>
      <end>1694044799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>lilypond.community</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
    <np>none</np>
  </policy_published>
  <record>
    <row>
      <source_ip>212.227.166.168</source_ip>
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>lilypond.community</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>lilypond.community</domain>
        <result>pass</result>
        <selector>stalwart</selector>
      </dkim>
      <spf>
        <domain>lilypond.community</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2a00:1450:4864:20::348</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>lilypond.community</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>lilypond.community</domain>
        <result>pass</result>
        <selector>stalwart</selector>
      </dkim>
      <spf>
        <domain>lilypond.community</domain>
        <result>fail</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>2a00:1450:4864:20::347</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>lilypond.community</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>lilypond.community</domain>
        <result>pass</result>
        <selector>stalwart</selector>
      </dkim>
      <spf>
        <domain>lilypond.community</domain>
        <result>fail</result>
      </spf>
    </auth_results>
  </record>
</feedback>

There are three <record> containers. The first one has <source_ip>212.227.166.168</source_ip>, which is the IP address of mx.lilypond.community, and passes DKIM and SPF, for a total of 2 emails. Looks fine... except that no emails at all have been sent from mx.lilypond.community during that period. WTF?

The two other records are for 2a00:1450:4864:20::348 and 2a00:1450:4864:20::347, which https://dnschecker.org/reverse-dns.php identifies as mail-wm1-x348.google.com and 2a00:1450:4864:20::347, respectively. What's this? SPF fails, but DKIM succeeds... why?

[mdecimus]

This question is probably silly, sorry for that. Obviously, I'm not familiar with the inner workings of email.

Your question isn't silly at all, DMARC reports can be quite detailed and sometimes a bit challenging to understand if you're not deeply involved in email infrastructure and security.

The first one has <source_ip>212.227.166.168</source_ip>, which is the IP address of mx.lilypond.community, and passes DKIM and SPF, for a total of 2 emails. Looks fine... except that no emails at all have been sent from mx.lilypond.community during that period. WTF?

Those messages are probably the automated DMARC, SPF or DKIM reports that Stalwart sends daily to other domains, but please check the server logs to make sure. You can disable sending reports to other domains if you like, but you won't be allowing other sysadmins to troubleshoot email delivery problems to your domain.

The two other records are for 2a00:1450:4864:20::348 and 2a00:1450:4864:20::347, which https://dnschecker.org/reverse-dns.php identifies as mail-wm1-x348.google.com and 2a00:1450:4864:20::347, respectively. What's this? SPF fails, but DKIM succeeds... why?

SPF validates whether a given IP address is authorized to send messages on behalf of your domain. DKIM uses a cryptographic signature to validate the sender email address as well as the integrity of the message.
We can't be certain why a google IP address is sending emails on your behalf, but since DKIM is passing this could mean that those addresses are relay hosts that forwarded your message (without altering its contents) to its final destination within Google.

A common example of relay hosts are mailing lists servers that forward incoming messages to all the recipients of the list. In this case, on DMARC reports you will see an SPF fail and, if the message wasn't altered by the mailing list, a DKIM pass from each server that received your message from the mailing list. Modern mailing list software that need to modify the contents of your message (for instance to add new headers) will use ARC to validate your original DKIM signature and seal the message using the server signature.

[tobsowo]

Can you check out this project https://github.com/antedebaas/DMARC-SMTPTLS-Reports I have used it with WildDuck but unfortunately, it has not worked for me using Stalwart.

Maybe it might work for you to have a GUI that interprets the data.

[mdecimus]

The web admin will include a tool to visualize DMARC and TLS reports.

[tobsowo]

This is lovely.