Emails can suffer quite a good deal of changes on their journey, we are aware recipients that do 2nd level checks of the records, that is, after the first receiving hop on their end, checks which will always result in failure.
With the base information from DMARC reports, you'd need to reverse it and use it to find the actual email in your mailbox, or enough information to ask to a known recipient for the emails details.
Most of the failures could be for example NDRs or OoO replies, since they lack an env-sender there's SPF check to be executed, and due the missing sender it wouldn't have a DKIM signature attached either, as such any DMARC checks against these emails would result in failure.
Original Message:
Sent: Apr 22, 2022 08:53 AM
From: AdrianAston AdrianAston
Subject: SPF failures when host name starts mail2.*.messagelabs.com
Hi Roberto
How would I find out that information? I am using https://app.glockapps.com/dmarc-monitor to view my DMARC results.
It shows Sending IP, DMARC, DKIM, SPF, Header from, SPF Domain, SPF auth, DKIM Domain etc. You can't identify individual emails.
The occasional SPF failure seems to be where some email services forward on to a different one so it changes the IP address of the sender.
However, most of the failures are mail2.bemta3*.messagemabs.com which should be covered by my SPF record as mail1.bemta..... pass fine.
Original Message:
Sent: Apr 22, 2022 07:54 AM
From: Roberto Monteiro
Subject: SPF failures when host name starts mail2.*.messagelabs.com
Hi,
That is odd. Sorry to hear it's happening. Could you by any chance provide privately information to locate some of these emails (sender, recipient, date), as well as full headers of some of these emails as received (from gmail, yahoo, etc). Sent within the past 7 days.
thanks
Roberto
Original Message:
Sent: Apr 20, 2022 11:14 AM
From: AdrianAston AdrianAston
Subject: SPF failures when host name starts mail2.*.messagelabs.com
Hi Rob. I have exactly the same issue. DMARC Pass, DKIM pass, SPF fail, DKIM Auth is correct. Only happens on mail2 messagelabs.
v=spf1 include:amazonses.com include:spf.messagelabs.com -all
Original Message:
Sent: Jul 02, 2018 12:10 PM
From: Robert Pattterson
Subject: SPF failures when host name starts mail2.*.messagelabs.com
Mohammad / Ian / (Symantec),
I send the sample logs to you as a Private Message on 27th June as I would rather not upload them to a public site. You can see that Google, Btinternet, Yahoo and AOL are all showing SPF failures for hosts starting mail2. When can I have a response please ?
Regards,
Rob