DMARC and mailchimp newsletter emails seem to fail pass

Question

I am new to DMARC:

I have recently followed Mailchimp guidelines. This includes setting up DMARC. Right now policy is none, so I can get reports on what emails fails.

Here I notice it seems Mailchimp emails fail SPF check.

I found MailChimp IP addresses here: https://mailchimp.com/about/ips/

Here is example XML:

<record>
<row>
<source_ip>148.105.12.199</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>example.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>fbl.mcsv.net</domain>
<selector>k2</selector>
<result>pass</result>
</dkim>
<dkim>
<domain>example.com</domain>
<selector>k2</selector>
<result>pass</result>
</dkim>
<spf>
<domain>mail199.sea22.mcdlv.net</domain>
<result>pass</result>
</spf>
</auth_results>
</record>

Note: I have replaced my own domain with example.com

Result I believe corresponds to:

• DMARC Compliance: pass
• SPF Authentication: pass
• SPF Alignment : fail
• SPF POLICY : no result
• DKIM Authentication: pass
• DKIM Alignment : pass
• DKIM POLICY : pass

I am new to DMARC. Is the above as expected? Or have I messed up something? Mailchimp has authenticated my domain after I added the cname and dmarc entries.

Answer 1

I have the same problem. I have SPF, DMARC, DKIM and BIMI for our domain configured in the DNS. I'm using a DMARC-analyzer to see how it works out, and for Mailchimp the SPF domain is not aligned. Looking for answers I found this Reddit discussion where one of the commenters says the following:

Just wanted to mention, MailChimp unfortunately does not provide the ability to align email custom domains with the envelope sender address. In short, you will never get SPF alignment from MailChimp. I don't know why they even still tell people to add their SPF include, because your domain will never align for it to be checked against. The only authentication mechanism that DOES align from Mailchimp is DKIM.

So this answers your question, but it is not the answer you want. And me neither, although....

Looking further, I found the following discussion here: https://security.stackexchange.com/questions/225715/dmarc-failing-spf

It seems that if SPF fails, but DKIM passes, given a DMARC policy, then there is no problem. To finish this: I just removed the spf includes for Mailchimp from the DNS of our domain.