When a source is marked as "failed" in DMARC, it means that the emails from that source are not DMARC-compliant due to invalid SPF and/or DKIM settings. This can occur for two reasons: either the source failed the DMARC checks due to misaligned SPF and/or DKIM, or the source is sending malicious emails on behalf of your domain.

It is important to investigate all sources that appear in the "failed" section to determine whether they are legitimate or malicious. If you recognize a source as legitimate, you can set up and align SPF and/or DKIM correctly. However, if you do not recognize the source, it requires investigation because the source might be attempting to send malicious emails on behalf of your domain.

To investigate a failed source, here are some steps you can take:

  • Determine if you recognize the source as a partner of your company. If you do, you can investigate whether the SPF and DKIM settings are set up correctly and aligned with your domain.
  • Search on Google for more information about the source. This can help you determine whether the source is legitimate or not.
  • Check RBL (Real-time Blackhole List) blacklist websites to see if the source appears on any of them. If it does, this may indicate that the source is malicious.
  • Review forensic reports to see what kind of emails are being sent by the source. This can help you determine whether the emails are legitimate or not.
  • If the source is legitimate, search for documentation to set up DMARC correctly with the source.
  • Finally, consider contacting the source to request that they align their SPF and DKIM settings correctly or to report any malicious activity.

By following these steps, you can investigate failed sources and take appropriate action to ensure that your domain remains secure and DMARC-compliant.