Analysis Period: August 19 - September 1, 2025
PROBLEM SUMMARY
Multiple Zoho services are causing systematic SPF authentication failures in DMARC reports from major email providers (Google, Microsoft, Zoho). While emails are successfully delivered due to DKIM authentication, the persistent SPF failures may negatively impact sender reputation over time.
TECHNICAL EVIDENCE
Affected Zoho Subdomains:
1. user.zohobookings.com - 8+ SPF failures across multiple reports
2. notifications.zohoflow.com - 52+ SPF failures (highest volume)
3. public.zohoforms.com - 3+ SPF failures
4. desk-mailer.zohodesk.com - 1+ SPF failure
Provider Confirmation:
- Google Gmail: 15+ DMARC reports showing SPF fail for these domains
- Microsoft Outlook: 3+ DMARC reports confirming same issue
- Zoho Mail: 4+ DMARC reports showing identical pattern
Sample DMARC Record:
```xml
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
<auth_results>
<dkim>
<domain>XXXX.com</domain>
<result>pass</result>
</dkim>
<spf>
<domain>notifications.zohoflow.com</domain>
<result>pass</result>
</spf>
</auth_results>
```
**Analysis**: SPF passes for the Zoho subdomain but fails for domain alignment because `notifications.zohoflow.com` is not included in our SPF record for `DOMAIN XXX.com`.
## CRITICAL IPv6 ISSUE
IPv6 Range: `2600:1901:101::/48`
Problem: Complete DKIM + SPF failure (not just alignment)
Affected IPs: `::9`, `::15`, `::17`
Impact: 6+ emails with total authentication failure
This represents a more serious configuration issue requiring immediate attention.
## CURRENT SPF RECORD
```
v=spf1 ip4:SERVERIP +a +mx include:_spf.google.com include:one.zoho.com ~all
```
**Issue**: `include:one.zoho.com` does not cover the subdomains listed above, which have independent SPF records that don't align with customer domains.
## ROOT CAUSE ANALYSIS
Architectural Problem: Zoho services use fragmented SPF architecture where:
- Customer includes `one.zoho.com` in SPF record
- Individual services use separate subdomains with independent SPF records
- No inheritance or redirect mechanism from parent to subdomains
- Results in SPF alignment failure for DMARC evaluation
## EMAIL DELIVERY CONFIRMATION
Emails are being successfully delivered. Example from Gmail logs:
- **Source IP**: 135.84.80.23
- **Status**: Successfully delivered to zoho-flow@DOMAIN.com
- **Authentication**: DKIM pass (prevents quarantine despite SPF fail)
## REQUESTED RESOLUTION
### Option 1 (Preferred): Zoho Infrastructure Fix
Update Zoho subdomain SPF records to include proper redirects or ensure `include:one.zoho.com` covers all service subdomains.
### Option 2: Customer Workaround Documentation
Provide official list of all Zoho subdomains requiring SPF inclusion, with guidance on SPF flattening to avoid DNS lookup limits.
### Option 3: IPv6 Immediate Fix
Resolve complete authentication failures for IPv6 range `2600:1901:101::/48`.
## BUSINESS IMPACT
- Current: Functional email delivery with SPF failure noise in DMARC reports
- Future Risk: Potential sender reputation degradation with major providers
- Scope: Affects all customers using multiple Zoho services with DMARC monitoring
## SUPPORTING EVIDENCE
I have comprehensive DMARC reports from 20+ daily reports over 3 weeks showing consistent pattern across Google, Microsoft, and Zoho infrastructure. Available upon request for detailed technical analysis.
---
**Expected Resolution**: Technical clarification on proper SPF configuration OR infrastructure fix for subdomain alignment
**Timeline**: Non-urgent but ongoing reputation concern requiring architectural solution