https://support.plesk.com/hc/en-us/requests/96009377

Amavis checked emails fail SPF checks due to being reinjected in Postfix

When a message arrives on port 25, the psa-pc-remote policy daemon evaluates SPF against the original sending IP address and correctly determines a PASS result. However, this result is only recorded as a log entry; it is never written into the message itself as an Authentication-Results header, which is the standardized header format (defined in RFC 7601) that downstream tools use to share authentication outcomes.

After Amavis processes and re-injects the message back into Postfix via port 10025, a new queue entry is created. The DMARC checker runs at this later stage and looks specifically for an Authentication-Results header containing an spf= value. Since that header was never written during the initial SPF evaluation, the DMARC checker finds nothing, treats the SPF result as unknown, and applies the sender domain's p=REJECT policy, discarding the message.

Dmarc validation is successfull if the email is successfully DKIM signed.

https://docs.plesk.com/en-US/obsidian/administrator-guide/mail/antispam-tools/protecting-against-spam.80013/ By default, when an incoming email fails the DMARC check, and the DMARC policy advises that the email should not be accepted for delivery, it is dropped silently. That is, the Plesk mail server replies to the client with a 2yz response code, and then discards the email without trying to deliver it to the recipient(s). You can configure the Plesk mail server to explicitly reject emails that fail the DMARC check with a 5yz response code.

Rejecting emails that fail the DMARC check:

Log in to the Plesk server via SSH.

Run the following command:

plesk bin settings -s mail_dmarc_reject_at_smtp=true && plesk repair mail -y

The Plesk mail server will now reject emails that fail the DMARC check with a 5yz response code.