Understanding DMARC report - showing spf pass and fail

Question

I've recently set up DMARC and am receiving reports from Google such as the one below (as you can see Amazon SES sends our emails). I'm struggling to understand that in the <auth_results> section it shows both dkim and spf as pass, but then says spf fail in the <policy_evaluated> section. Can anyone explain?

I don't understand why spf is showing as fail in one section of the xml and pass in another.

Any help would be hugely appreciated.

​

<record>
    <row>
      <source_ip>54.240.3.23</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>XXXXX.co.uk</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>XXXXX.co.uk</domain>
        <result>pass</result>
        <selector>fkxaji2gbqrtxkga2dcntqbjoj3mrfqx</selector>
      </dkim>
      <dkim>
        <domain>amazonses.com</domain>
        <result>pass</result>
        <selector>shh3fegwg5fppqsuzphvschd53n6ihuv</selector>
      </dkim>
      <spf>
        <domain>eu-west-1.amazonses.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

Answer 1

This can happen when your envelope MAIL FROM and your message header FROM are not using the same domain. <policy_evaluated><spf> only passes when both of them are set to the same domain.