I can't figure out what should be dmarc result if:
- Dkim fail
- AND Spf Temperror
- AND Spf alignment MISmatch
"Fail" or "Unknown"
RFC 7489 (Domain-based Message Authentication, Reporting, and Conformance (DMARC)) doesn't explain this clearly enough for me:
DMARC evaluation can only yield a "pass" result after one of the underlying authentication mechanisms passes for an aligned identifier. If neither passes and one or both of them fail due to a temporary error, the Receiver evaluating the message is unable to conclude that the DMARC mechanism had a permanent failure; they therefore cannot apply the advertised DMARC policy. When otherwise appropriate, Receivers MAY send feedback reports regarding temporary errors.
From the other side, Spf alignment is important. For example,
- DKIM=fail, Spf=pass, spf no alignment => DMARC will give "Fail"
- DKIM=fail, Spf=Temperror, spf no alignment => DMARC will give "Fail" or "Enable to conclude"?