[
  {
    "code": "000",
    "compauth": "fail",
    "meaning": "Explicit authentication failure: DMARC fails with a p=quarantine or p=reject policy.",
    "typical_cause": "The domain publishes a strict DMARC but the message does not align (SPF/DKIM break alignment, often during forwarding or from an unauthorized source).",
    "resolution": "Align SPF and DKIM with the From: ; authorize the sending source ; configure a trusted ARC sealer in case of forwarding."
  },
  {
    "code": "001",
    "compauth": "fail",
    "meaning": "Implicit authentication failure: no authentication records published, or weak policy.",
    "typical_cause": "The domain has little or no authentication: SPF with ~all/?all, or DMARC with p=none. Microsoft lacks signal.",
    "resolution": "Publish aligned SPF + DKIM + DMARC ; harden progressively toward ~all then -all."
  },
  {
    "code": "002",
    "compauth": "fail",
    "meaning": "A tenant policy explicitly forbids this sender/domain pair.",
    "typical_cause": "Manual administrator entry (Tenant Allow/Block List, spoofing block).",
    "resolution": "Check and remove the block entry if the sender is legitimate."
  },
  {
    "code": "010",
    "compauth": "fail",
    "meaning": "DMARC fails with p=reject/p=quarantine, and the sending domain is an accepted domain of your organization.",
    "typical_cause": "Intra-organization spoofing: a third-party service sends \"as\" your own domain without being authorized.",
    "resolution": "Authorize the source in SPF/DKIM or via the Tenant Allow/Block List."
  },
  {
    "code": "1xx",
    "compauth": "pass",
    "meaning": "The message passed explicit or implicit authentication.",
    "typical_cause": "Success.",
    "resolution": "No action."
  },
  {
    "code": "100",
    "compauth": "pass",
    "meaning": "SPF passed or DKIM passed, and MAIL FROM and From are aligned.",
    "typical_cause": "Nominal success.",
    "resolution": "No action."
  },
  {
    "code": "101",
    "compauth": "pass",
    "meaning": "The message is DKIM-signed by the From: domain.",
    "typical_cause": "Aligned DKIM success.",
    "resolution": "No action."
  },
  {
    "code": "102",
    "compauth": "pass",
    "meaning": "MAIL FROM and From aligned, and SPF passed.",
    "typical_cause": "Aligned SPF success.",
    "resolution": "No action."
  },
  {
    "code": "103",
    "compauth": "pass",
    "meaning": "The From: is aligned with the PTR (reverse DNS) of the source IP.",
    "typical_cause": "Success via PTR.",
    "resolution": "No action."
  },
  {
    "code": "104",
    "compauth": "pass",
    "meaning": "The PTR of the source IP is aligned with the From: domain.",
    "typical_cause": "Success via PTR.",
    "resolution": "No action."
  },
  {
    "code": "108",
    "compauth": "pass",
    "meaning": "DKIM failed because of a body modification by a previous legitimate hop.",
    "typical_cause": "Tolerated (on-premises environment, for example).",
    "resolution": "Monitor in-transit modifications ; consider ARC."
  },
  {
    "code": "109",
    "compauth": "pass",
    "meaning": "No DMARC, but the message would still pass evaluation.",
    "typical_cause": "Tolerated.",
    "resolution": "Publish DMARC to formalize intent."
  },
  {
    "code": "111",
    "compauth": "pass",
    "meaning": "Despite a DMARC temperror or permerror, SPF or DKIM is aligned with the From:.",
    "typical_cause": "Tolerated despite a DNS error.",
    "resolution": "Fix the DMARC record."
  },
  {
    "code": "112",
    "compauth": "pass",
    "meaning": "A DNS timeout prevented DMARC retrieval.",
    "typical_cause": "Transient DNS error.",
    "resolution": "Check the domain's DNS resolution."
  },
  {
    "code": "115",
    "compauth": "pass",
    "meaning": "The message comes from a Microsoft 365 organization where the From: is an accepted domain.",
    "typical_cause": "Tolerated (Microsoft 365 to Microsoft 365).",
    "resolution": "No action."
  },
  {
    "code": "116",
    "compauth": "pass",
    "meaning": "The MX of the From: is aligned with the PTR of the connecting IP.",
    "typical_cause": "Tolerated.",
    "resolution": "No action."
  },
  {
    "code": "130",
    "compauth": "pass",
    "meaning": "The ARC result of a trusted ARC sealer replaced a DMARC failure.",
    "typical_cause": "Forwarding via a trusted ARC service.",
    "resolution": "Configure trusted ARC sealers."
  },
  {
    "code": "2xx",
    "compauth": "softpass",
    "meaning": "The message partially passed implicit authentication.",
    "typical_cause": "Partial signals.",
    "resolution": "Strengthen SPF/DKIM/DMARC."
  },
  {
    "code": "201",
    "compauth": "softpass",
    "meaning": "The PTR of the From: is aligned with the subnet of the connecting IP's PTR.",
    "typical_cause": "Weak alignment (subnet).",
    "resolution": "Strengthen authentication."
  },
  {
    "code": "202",
    "compauth": "softpass",
    "meaning": "The From: is aligned with the domain of the connecting IP's PTR.",
    "typical_cause": "Weak alignment (PTR).",
    "resolution": "Strengthen authentication."
  },
  {
    "code": "3xx",
    "compauth": "none",
    "meaning": "The message was not checked for composite authentication.",
    "typical_cause": "Not evaluated.",
    "resolution": "None."
  },
  {
    "code": "4xx",
    "compauth": "none",
    "meaning": "The message bypassed composite authentication.",
    "typical_cause": "Bypass.",
    "resolution": "None."
  },
  {
    "code": "501",
    "compauth": "n/a",
    "meaning": "DMARC not enforced: valid NDR (non-delivery report), previously established contact.",
    "typical_cause": "NDR tolerance.",
    "resolution": "No action."
  },
  {
    "code": "502",
    "compauth": "n/a",
    "meaning": "DMARC not enforced: valid NDR for a message sent by this organization.",
    "typical_cause": "NDR tolerance.",
    "resolution": "No action."
  },
  {
    "code": "6xx",
    "compauth": "fail",
    "meaning": "Implicit email authentication failure.",
    "typical_cause": "Implicit failure.",
    "resolution": "Publish and align SPF, DKIM, DMARC."
  },
  {
    "code": "601",
    "compauth": "fail",
    "meaning": "The sending domain is an accepted domain of your organization (self-send / intra-org spoofing).",
    "typical_cause": "Internal or third-party application or service sending \"as you\" without authentication.",
    "resolution": "Authorize the source (SPF/DKIM, authenticated relay, Tenant Allow/Block List)."
  },
  {
    "code": "7xx",
    "compauth": "pass",
    "meaning": "The message passed implicit authentication.",
    "typical_cause": "Implicit success.",
    "resolution": "No action."
  },
  {
    "code": "701-704",
    "compauth": "pass",
    "meaning": "DMARC not enforced thanks to a history of legitimate messages from this infrastructure.",
    "typical_cause": "Reputation and history.",
    "resolution": "No action."
  },
  {
    "code": "9xx",
    "compauth": "none",
    "meaning": "The message bypassed composite authentication.",
    "typical_cause": "Bypass.",
    "resolution": "None."
  },
  {
    "code": "905",
    "compauth": "none",
    "meaning": "DMARC not enforced because of complex routing (on-premises or third-party service before Microsoft 365).",
    "typical_cause": "Hybrid routing.",
    "resolution": "Configure ARC or an authenticated relay."
  }
]