Amazon SES IP Fails SPF Check in DMARC

Question

I use Amazon SES for transactional emails and use the WP SES Plugin to integrate with my WordPress.

SPF fails for some of my emails which has the IP starting with 54.240.27. This seems to be Amazon SES IP.

I have the following SPF txt added to my DNS: v=spf1 include:_spf.google.com include:ofpad.com include:amazonses.com ~all

Any help is greatly appreciated.

Update: I added the MAIL FROM Domain in AWS as instructed by architjn, but the issue persists.

Below is the DMARC sent by Gmail after the implementation of Mail From Domain in AWS. Here is a human-readable version of the report: https://us.dmarcian.com/dmarc-xml/details/VANOJ4S6b8QGCinq/

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>4375352491574064416</report_id>
    <date_range>
      <begin>1601078400</begin>
      <end>1601164799</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>ofpad.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>none</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>54.240.27.115</source_ip>
      <count>9</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>us-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>54.240.27.35</source_ip>
      <count>8</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>us-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>39</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>pass</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>ofpad.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>54.240.27.34</source_ip>
      <count>10</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>us-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>87</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>gmail.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>54.240.27.38</source_ip>
      <count>3</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>us-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>54.240.27.116</source_ip>
      <count>11</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>us-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  <record>
    <row>
      <source_ip>54.240.27.123</source_ip>
      <count>6</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>ofpad.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>ofpad.com</domain>
        <result>pass</result>
        <selector>ukez6fkocbm5wtdd7aqfx754ngfzaqs3</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>hsbnp7p3ensaochzwyq5wwmceodymuwv</selector>
      </dkim>
      <spf>
        <domain>us-west-2.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

score 7 · Accepted Answer · answered Sep 24 '20 at 17:26

7

SPF is always considered of From Domain. Header From and From Domain are 2 different things. Header From is the part after @ in email address. In your case it's ofpad.com. But what happens is that it checks SPF from From Domain. In this case it is us-west-2.amazonses.com. And In DMARC it also checks the mail is being sent should have same domains in Header From and From Domain. Which is different in this case. That is the main reason of it's being failed. It is known as SPF Alignment in DMARC.

To solve this issue you will have to head over to your SES Console and after selecting your domain you will see at the bottom a section named From Domain. You should configure it on a subdomain of ofpad.com and it will start passing the SPF afterwards. This will make your SPF relaxed Aligned.

answered Sep 24 '20 at 17:26

architjn

1,397
2
13
30

Can I use the main domain instead of a subdomain? I already have Google Apps MX Records. Will that cause a conflict? – Abhishek R Sep 26 '20 at 09:51
You can use any other subdomain it doesn't matter for `From Domain` and still can use your root domain for `Header From`. They can be different. Choose any subdomain it will work. – architjn Sep 26 '20 at 13:04
1

I implemented the `MAIL FROM Domain` in aws and my SPF still seems to fails for AWS. I have updated the original question with the screenshot of AWS settings and the fresh XML sent to me by Google. Any help is appreciated. – Abhishek R Sep 27 '20 at 17:36
I think you have shared the reports from the day or day after that you implemented `MAIL FROM DOMAIN`. Wait for 1-2 more days to verify in the reports. There is usually 1 day of delay in reports. That's why if you see there is one record with passing SPF and others with not. Report is mixed for now. – architjn Sep 28 '20 at 03:01
Sharing the report I received today: https://us.dmarcian.com/dmarc-xml/details/USm64TQ5lItP9duy/ Still getting the same error. – Abhishek R Sep 30 '20 at 11:34
Apparently if you verify both an email address and the domain that email address belongs to, the settings for the email address override those of the domain. My mail from address was only configured only for the domain and not the email address. I removed the email and now everything works. – Abhishek R Oct 10 '20 at 11:25

score 3 · Answer 2 · answered Oct 10 '20 at 11:22

architjn pointed me in the right direction and I added the Mail From Domain in the AWS settings but the issue persisted because I had also verified my sender email which was not using my Domain's mail from domain. Apparently if you verify both an email address and the domain that email address belongs to, the settings for the email address override those of the domain.

So my Mail From Domain which I configured for the domain was not working for the email address.

Amazon SES requires that you verify your email address or domain. When you verify an entire domain, you are verifying all email addresses from that domain, so you don't need to verify email addresses from that domain individually.

I removed the email address that belonged to the domain from AWS's Verified Emails and now the Mail From Domain configured in the domain is being used.

Here is the MAIL FROM Domain in AWS as instructed by architjn.

Amazon SES IP Fails SPF Check in DMARC

2 Answers2