These results made me think that both Google Mail and Office 365
do not consider important if the DKIM signing domain is different from the sender,
as long as the message is authenticated with SPF, it will reach the inbox:
Google Mail
Office 365
spf Pass - dkim diff - dmarc reject
inbox
inbox
spf Fail - dkim diff - dmarc reject
dsn=5.0.0, stat=Service unavailable
junk
spf SoftFail - dkim diff - dmarc reject
dsn=5.0.0, stat=Service unavailable
junk
spf Neutral - dkim diff - dmarc reject
inbox
inbox
spf none - dkim diff - dmarc reject
dsn=5.0.0, stat=Service unavailable
junk
I don’t know why I was convinced that both spf and dkim should refer to the same domain.
Searching on the internet I’ve found this on “Domain alignment”:
DMARC requires that at least one of the domains is authenticated by SPF or DKIM
to "align with" the domain found in the "from" header address
In fact, SpamStop almost always gave the warning “dkim-diff”
to the messages coming from Google Mail and Office 365.
Now it has been fixed, I’ve called this behaviour “dkim soft fail”. SpamStop dkim check - when the message has been signed using a different domain,
the “dkim-diff” alert will NOT be displayed if the sender (“from”) passes the SPF check.
The tester has also been updated: dkim check online
When this particular case happens, the result will show:
|~OK| spf-pass |~OK| dkim-diff |~OK|
Having both SPF and DKIM aligned with the from domain makes even more sense,
since the SPF check could be broken by email forwarding,
while DKIM signature remains unchanged, tied to the message.