Suped

Why is a new IP address showing up in my GPT dashboard with SPF failing but DKIM passing?

10 Marketer opinions4 Expert opinions4 Technical articles2 Resources

Summary

The consensus from experts, marketers, and documentation is that a new IP address appearing in your GPT dashboard with SPF failing but DKIM passing primarily indicates email forwarding. SPF failures occur because the originating IP no longer matches your domain's SPF record, while DKIM passes because the message's signature is still valid. Other potential causes include a compromised ESP, domain spoofing, or misconfigured SPF records. Regardless of the cause, it's crucial to investigate the source of the new IP, monitor its reputation, ensure SPF and DMARC are properly configured, and secure accounts to maintain deliverability.

Key findings

  • Email Forwarding: Email forwarding is the most common reason for SPF failures while DKIM passes.
  • Independent Authentication Methods: SPF and DKIM are independent authentication methods; SPF validates the IP, DKIM validates the message.
  • Reputation Impact: Even with DKIM passing, a new IP address can negatively impact your sender reputation and deliverability.
  • Security Risks: A new IP could indicate a compromised ESP, domain spoofing, or unauthorized access to your systems.

Key considerations

  • Investigate the Source: Thoroughly investigate the origin of the new IP address to determine its legitimacy.
  • Monitor IP Reputation: Check the IP address against blacklists and monitor its sender score to identify and address reputation issues.
  • Review SPF Records: Ensure that your SPF records are up-to-date and include all authorized sending sources.
  • Assess DMARC Settings: Review your DMARC policy to understand how it handles messages that fail SPF but pass DKIM and ensure proper alignment.
  • Secure Accounts and Systems: Implement security measures to protect against unauthorized access and potential compromises.
  • Check Forwarding Rules: Verify and disable any unintended forwarding rules in your email settings.
  • Regenerate DKIM Key: Consider regenerating your DKIM key at your ESP as a precaution against potential compromise.

What email marketers say
10Marketer opinions

The appearance of a new IP address in your GPT dashboard with SPF failing but DKIM passing typically indicates email forwarding, a potential compromise of your ESP, or unauthorized use of your domain. SPF failures occur because the originating IP address doesn't match your domain's SPF record, while DKIM passes if the message's signature remains valid. It's crucial to investigate the source of the new IP, monitor its reputation, and verify your email authentication settings to maintain deliverability.

Key opinions

  • Forwarding Issue: Email forwarding often causes SPF failures as the originating IP changes, but DKIM can still pass if the message content and signature are intact.
  • ESP Compromise: A compromised ESP could result in unauthorized IP addresses sending emails with your DKIM signature. Regenerating the DKIM key is a potential solution.
  • Domain Spoofing: Unauthorized parties may be using your domain to send emails. Review SPF, DKIM, and DMARC settings to protect your domain reputation.
  • Reputation Impact: A new and unknown IP address sending emails from your domain could negatively affect your IP reputation, leading to deliverability issues.
  • DMARC Alignment: Failing SPF but passing DKIM can cause DMARC failures, particularly if you have strict alignment policies. Check your DMARC policy settings.

Key considerations

  • Track DKIM Selector: Monitor the DKIM selector associated with the new IP to understand the origin of the emails.
  • Review DMARC Reports: Analyze DMARC reports to identify the source of the SPF failures and potential forwarding scenarios.
  • Check Forwarding Rules: Examine your email filters and forwarding settings in Gmail or Google Workspace to disable any unintended forwarding rules.
  • Verify MX Records: Ensure your MX records are correctly pointing to your mail servers to prevent routing issues.
  • Monitor IP Reputation: Regularly check blacklists and sender scores associated with the new IP to monitor and address potential reputation damage.
  • Security Audit: Conduct a thorough account and server security audit to identify and mitigate potential compromises.
Marketer view

Email marketer from MXToolbox shares you should always check the general health of your setup and identifies that incorrect MX records can lead to emails being routed through unexpected servers. It's important to verify the DNS records to ensure they're correctly pointing to your mail servers.

September 2024 - MXToolbox
Marketer view

Email marketer from Litmus responds that failing SPF but passing DKIM can cause DMARC to fail if you have strict alignment policies. DMARC requires either SPF or DKIM to pass and align. Check your DMARC policy to see how it handles messages that fail SPF but pass DKIM.

June 2022 - Litmus
Marketer view

Email marketer from StackOverflow answers question and suggests that someone else might be using your domain name to send email. If you're seeing a new IP address that you don't recognize, it could mean that someone is spoofing your domain. Make sure your SPF, DKIM, and DMARC settings are properly configured to prevent abuse.

April 2023 - StackOverflow
Marketer view

Email marketer from Reddit suggests that the new IP address might be from a forwarding service or a mail server configured to relay emails. If the emails are being forwarded, SPF will fail since the IP address will not match the sending domain's SPF record. DKIM will pass if the message was signed before being forwarded.

August 2024 - Reddit
Marketer view

Email marketer from Gmass explains sometimes old rules in your inbox can cause forwarding of emails. Check your Gmail or Google Workspace filters and forwarding settings. Disable any unwanted forwarding rules that could be sending emails from an unfamiliar IP address.

June 2022 - Gmass
Marketer view

Email marketer from Email Geeks suggests tracking the DKIM selector with SPF Fail/DKIM Pass to understand the original outgoing server and observing the DMARC report reporter to identify potential auto-forwarding/routing cases.

November 2023 - Email Geeks
Marketer view

Email marketer from Email Security Forum suggests if forwarding isn't the problem, it might indicate a compromised account or server. If the emails are being sent without your knowledge, someone may have gained unauthorized access. Secure your accounts and servers and check your logs for suspicious activity.

January 2023 - Email Security Forum
Marketer view

Email marketer from Mailgun Support explains that SPF failures often occur with email forwarding. When a mail server forwards a message, the originating IP address no longer matches the SPF record of the sender's domain, causing an SPF failure. DKIM, however, can still pass because the message content and signature remain intact.

June 2022 - Mailgun
Marketer view

Marketer from Email Geeks suggests regenerating the DKIM key at the ESP to address a potential compromise and deleting the public key component to prevent further message signing.

November 2021 - Email Geeks
Marketer view

Email marketer from Email on Acid shares that if a new IP address is sending emails using your domain, it is vital to monitor its reputation. Even if DKIM is passing, poor IP reputation can affect deliverability. Check blacklists and sender scores associated with the new IP.

December 2024 - Email on Acid

What the experts say
4Expert opinions

Experts suggest that the appearance of a new IP address in a GPT dashboard with SPF failing but DKIM passing often points to email forwarding. This is because forwarding changes the originating IP, causing SPF to fail, while the DKIM signature, which validates message integrity, remains intact. Even with DKIM passing, a new IP can negatively impact your sending reputation, emphasizing the need to monitor traffic sources and ensure deliverability.

Key opinions

  • Forwarding as Primary Cause: SPF failures with passing DKIM often strongly indicate email forwarding.
  • DKIM Integrity: DKIM signatures remain valid despite forwarding because message content isn't altered.
  • Reputation Impact: New IPs can harm sender reputation even if DKIM passes.

Key considerations

  • Monitor Traffic Sources: Carefully monitor where the traffic from the new IP address is originating.
  • Assess Forwarding Scenarios: Determine if mail forwarding is the cause of the new IP address appearance.
  • Ensure Deliverability: Take steps to ensure email deliverability in light of a potentially damaged reputation from the new IP.
Expert view

Expert from Email Geeks agrees that it sounds like forwarding may be the issue. SPF domain is valid but DKIM isn't.

October 2024 - Email Geeks
Expert view

Expert from Spam Resource discusses the implications of a new, unknown IP address sending mail from your domain. Even if DKIM passes, a sudden shift in sending IPs can negatively impact your sending reputation. Monitoring and understanding where that traffic is originating from is crucial to preventing deliverability issues.

January 2024 - Spam Resource
Expert view

Expert from Word to the Wise explains that SPF failures with passing DKIM often indicate a forwarding scenario. The original SPF check fails because the email is being sent from a different IP address than authorized, but the DKIM signature remains valid because the message content hasn't been altered.

June 2024 - Word to the Wise
Expert view

Expert from Email Geeks suggests the issue might be due to mail forwarding.

November 2022 - Email Geeks

What the documentation says
4Technical articles

Documentation from various sources indicates that SPF and DKIM are independent email authentication methods. SPF verifies the sender's IP address, while DKIM validates the message's integrity. The presence of a new IP address with failing SPF but passing DKIM often suggests a forwarding issue or a misconfiguration in SPF. DMARC relies on both SPF and DKIM, so a domain owner should investigate SPF failures to ensure legitimate mail is not affected and update SPF records to include all authorized sending IPs.

Key findings

  • Independent Authentication: SPF and DKIM are independent methods; SPF validates IP, DKIM validates message integrity.
  • Forwarding or Misconfiguration: SPF failure with DKIM passing suggests forwarding or SPF misconfiguration.
  • DMARC Dependence: DMARC relies on both SPF and DKIM for authentication decisions.
  • Unauthorized Sending IP: Failing SPF indicates email sent from an unauthorized server.

Key considerations

  • Investigate SPF Failure: Determine the cause of the SPF failure to ensure legitimate mail isn't affected.
  • Update SPF Records: Include all authorized sending IP addresses or domains in SPF records.
  • SRS Implementation: Consider implementing Sender Rewriting Scheme (SRS) for forwarding scenarios.
Technical article

Documentation from Microsoft describes SPF, DKIM and DMARC work together. A failing SPF can indicate that the email was sent from a server that is not authorized. Ensure that your SPF record includes all IP addresses or domains that send email on your behalf.

December 2023 - Microsoft
Technical article

Documentation from DMARC.org states that DMARC relies on SPF and DKIM. An SPF failure with DKIM passing could indicate a forwarding issue or a problem with SPF configuration. The domain owner should investigate the source of the SPF failure to ensure legitimate mail isn't being affected.

August 2021 - DMARC.org
Technical article

Documentation from RFC Editor specifies how SPF is evaluated. An SPF check verifies if the connecting IP address is authorized to send email for the domain in the 'MAIL FROM' address. The standard explicitly states that forwarding will generally invalidate SPF results unless Sender Rewriting Scheme (SRS) is implemented.

September 2021 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help explains that SPF and DKIM are independent authentication methods. SPF verifies the sender's IP address, while DKIM verifies the message's integrity via a digital signature. A message can pass DKIM even if SPF fails if the DKIM signature is valid.

December 2024 - Google Workspace Admin Help

Related resources
2Resources

r/DMARC
r/DMARC

A community for discussion about email authentication, SPF, DKIM, DMARC, ARC, and BIMI, and their development, usage, and implementation.

Reddit
Google Postmaster Tools | Guide to Check Your Domain Reputation
Google Postmaster Tools | Guide to Check Your Domain Reputation

Utilize Google Postmaster Tools to monitor your domain reputation and other crucial email metrics. Stay on top of your email deliverability.

SocketLabs

Related questions