Amazon SES SPF Record Fails

Question

We have set up SPF with Amazon SES.

When we run a test with https://www.dmarcanalyzer.com/

We get the following:

So everything appears to be correct.

However with our dmarc report we get a fail

<record>
    <row>
      <source_ip>209.85.220.69</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>flowcx.com.au</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>flowcx.com.au</domain>
        <result>pass</result>
        <selector>6jm2ei7phvrqgxrufpn4j6rbk757tr6a</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>6gbrjpgwjskckoa6a5zn6fwqkn67xbtw</selector>
      </dkim>
      <spf>
        <domain>mail.flowcx.com.au</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>

From what I can see this is due to the ip address being 209.85.220.69.

This is not in the SES range? I know we can add this to our spf record - but why is Amazon SES sending from this address?

Answer 1

The short answer: Amazon is not sending from 209.85.220.69. Google is.

Background: If you look up the PTR record in DNS for 209.85.220.69 you'll find that it is actually a Google server forwarding an email previously sent from AmazonSES.

In this case the AmazonSES DKIM signature survives (no signed header fields were changed), while, on forwarding, SPF breaks because Google's server is not in the SPF record.