I posted this in the Group Managers forum and a members suggested I post it here.
I'm working on setting up DMARC on my domain, obfuscated here as mydomain.com.
For a few days after I started posting in the Group Managers forum, I was getting reports of thousands of would-be failures for email sent from Moldava. I found a raw report with the Moldavan IP address. I don't quite understand the <auth_results> section: it looks like DKIM is passing using the groups.io signature, but the foreign IP (bleza(dot)skilldivinet(dot)net) is passing on SPF. Are they somehow spoofing the groups.io DKIM signature? Here is the report, with the questionable section in bold:
The only groups.io DKIM TXT record I know of is 20140610._domainkey.groups.io. If that is a date stamp, perhaps it's time to rotate the key?
@Mark Berry, it just occurred to me that perhaps the "pass" result in the "auth_results, dkim" section is simply confirming that a valid DKIM record was found for the "groups.io" domain.
Sorry, I only thought of this after I realized the "policy evaluated" section shows "fail" in the "dkim" section and appears to be (rightly) determining that the DKIM is invalid. I'm trying to find the relevant docs that may explain this.
What I don't understand is why the "source ip" does not show up on any block list yet. :(
I believe the failures in the "policy evaluated" section are what MxToolbox calls alignment failures. Which kinda makes sense, if a third party is signing email with a spoofed certificate but not actually sending from that certificate's domain. (If that's what misalignment means.) Here is their report on that XML: