0

I recently contacted a vendor of security-related development libraries to ask for a quote (I won't name them yet).

The next day, Postmark sent me my weekly DMARC report - and it contained 2 failed entries originating from this vendor's domain, saying that both SPF and DKIM failed. Here is what the report says:

Untrusted Sources (Not Aligned)

No alignment means that neither DKIM nor SPF pass the DMARC policy. These messages are either spam (spoofed) or require your attention for SPF / DKIM authentication. It's important to monitor these emails closely

Has this vendor really been trying to spoof emails from our domain? Perhaps some kind of vulnerability probe?

Or is there any plausible, innocent explanation for these entries?

Owen Orwell
  • 207
  • 1
  • 5
  • One can only guess what it might be and therefore I propose to close it. Based on your information someone from the vendors IP address tried spoofing but why this was tried and if this is related to the quote you asked for is completely unknown. Therefore it can't also be said if this was innocent or not, especially since different users consider different things as innocent. – Steffen Ullrich Feb 27 '17 at 20:16
  • With all due respect, voting to close this question seems rather unreasonable. I'm trying to understand if there could be any innocent reason under *any* circumstances. We generally only see 0-2 DMARC issues on any given week, so this seems rather suspicious. – Owen Orwell Feb 27 '17 at 20:46
  • Again: *"...someone from the vendors IP address tried spoofing..."*. Thus, if you consider any spoofing attempt malicious then there is no innocent explanation. If you consider for example a probe to deliver a mail with your sender domain to a recipient controlled by the company as innocent (because nobody was harmed) then there is an innocent explanation. – Steffen Ullrich Feb 27 '17 at 21:00
  • @SteffenUllrich I guess then the question is: is a spoofing attempt the only reason for DMARC failures from others' domains? – Owen Orwell Feb 27 '17 at 21:11
  • The report by postmark is based on the reports send by mail servers to the configured report address in case a mail was deemed to violate the DKIM/SPF policies. Thus it is highly likely that this is caused by violating the policy (i.e. spoofing). But someone could also make up a policy violation report and send it to the configured report address even though no violation was done, i.e. just to confuse somebody with bogus reports. – Steffen Ullrich Feb 27 '17 at 21:16
  • @SteffenUllrich that is a useful and informative explanation, thanks. If you add that as an answer, I'll happily accept it. – Owen Orwell Feb 27 '17 at 21:20

4 Answers4

2

It has already been agreed that there is too little information to work with in this question, but I'd still like to point out the two most plausible and non-malicious explanations in case the question pops up again.

  1. The email you sent to the Vendor was not properly handled by Yourself.

Not meaning to point finger, but at any request for help, this should be the first suspicion. The "neither DKIM nor SPF pass" does not automatically say that both "failed". You may have one fail and one that wasn't configured at all for your domain.

This is of course the reason to have DMARC reports at all. Even if you seem to be sure of your setup, please do send a test email to e.g. gmail and read through the headers of the recipient email.

  1. The Vendor has an email forwarding system that isn't properly configured for DMARC.

This is unfortunately more common than one would hope. See reasons for reference: https://www.dmarcanalyzer.com/forwarding-within-dmarc/

It is sometimes said that it's only a problem for SPF, but forwarders may change both headers and body for internal and perfectly innocent (but less valid) reasons. If the forwarder keeps your domain as From-address the DMARC report will be sent to you.

The next day, Postmark sent me my weekly DMARC report - and it contained 2 failed entries originating from this vendor's domain, saying that both SPF and DKIM failed.

I'm not familiar with Postmark, but for each fail it should be possible to see:

a) Which server reported the fail
b) What was the originating sender server
c) What was the DKIM signature domain
d) What was the SPF verification domain

Using this information it should be possible to learn more about the "spoof". When you say "originating from this Vendor domain" I can't clearly assume which of a-d you mean.

As also already pointed out, in both of these cases your email may have been lost and your request to the Vendor needs to be retried. Sending a follow-up email is a good way to check if the same report appear again of if it was a one-time thing.

In any case I'd say it is not a bad idea to ask the Vendor about the "spoof". They can probably help you with an explanation and you decide if you are willing to trust them. It may also be that they are unaware of a mail configuration problem they have.

JAG
  • 21
  • 3
  • Totally valid answer, but I've checked, double checked and rechecked DMARC and SPF config :) I did ask the vendor at the time, who claimed they didn't know anything about it. – Owen Orwell Jul 03 '19 at 18:38
  • Thanks for coming back with more information. I'm aware that the question is several years old now so I didn't expect to solve your specific problem, but wanted to post in case others come here with similar questions. The gist of the answer was probably "try to find more of the relevant information in the actual DMARC report". – JAG Nov 20 '19 at 21:32
1

The report by postmark is based on the reports send by mail servers to the configured report address in case a mail was deemed to violate the DKIM/SPF policies. Thus it is highly likely that this is caused by violating the policy (i.e. spoofing) but this is not the only possible explanation.

For example someone could make up a policy violation report and send it to the configured report address even though no violation was done, i.e. just to confuse somebody with bogus reports.

And finally a malfunctioning mail system at the vendor you've contacted could treat the internal distribution of your original mail or a redistribution of the mail as if somebody has tried to spoof your domain - and report this as policy violation.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

If you submitted the query using a Web form and included your e-mail address, the form could then have e-mailed someone within the company "from" your provided e-mail address--and their server could well then have (correctly) treated it as a spoofed address. I've seen such "spoofed" (albeit for legitimate reasons) e-mails before, though haven't witnessed the consequent DMARC failures.

Joel
  • 11
  • 1
0

Can't comment yet, but meant to add to https://security.stackexchange.com/a/152519/140580.

You are misunderstanding what the report is saying: it is saying that their systems feel your mail was sent from an invalid server, or with an invalid DKIM signature.

Personally, I have caused myself this issue by scrubbing headers for outbound emails, which (I found out the hard way) was happening after the DKIM signature.

This meant all DKIM was failing, and resulted in an interesting variety of DMARC reports.

If it makes sense, given your mail setup, to do so, send an email to a large provider that also has DMARC verification (google, hotmail, yahoo, probably a ton more), and see if the same results are returned.

Another possibility, on their end, is that their mail server might have a limited DNS view (i.e. internal domains only) that means they cannot retrieve valid DKIM and/or SPF info (this might be the case if they have a DMARC validating server behind a 'front-end' mail server that performs e.g. filtering).

One thing, though: this may mean your request is in their spam filters. Which means you might need to consider some other means of getting in touch.

Community
  • 1
iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24