1

I read that a SPF fail with DKIM pass means someone has forwarded an email with our domain name attached. I haven't sent any emails to this domain. Is this domain trying to send emails with my domain? Can I stop this behavior with a modification that I'm unaware of?

DMARC

v=DMARC1; p=reject; pct=100; aspf=s; adkim=s; sp=reject; rua=mailto:[email]; ruf=mailto:[email]; ri=84600; fo=1; rf=iodef;

SPF

v=spf1 include:[my domain] include:[friend's domain] -all

DMARC Report

  <record>
    <row>
      <source_ip>[redacted]</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>[my domain]</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>[unauthorized domain]</domain>
        <result>pass</result>
        <selector>[unauthorized subdomain]</selector>
      </dkim>
      <dkim>
        <domain>[my domain]</domain>
        <result>pass</result>
        <selector>[my subdomain]</selector>
      </dkim>
      <spf>
        <domain>[unauthorized domain]</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
euclid4
  • 13
  • 3

1 Answers1

1

For a full evaluation, it would help if you at least included the unauthorized domain.

I, personally, see this type of result fairly often when someone we send to is using a "cloud" hosted email solution. I send a message to someone at MIT at their @mit.edu email address, but they prefer using their personal Gmail account. On their side, they have set an auto-forward-all rule to send everything to their @gmail.com address.

The kicker is that MIT uses O365 as their email provider. So what I end up seeing is a DMARC report from Google about an email sent out of Outlook.com . Something like:

<identifiers>
  <header_from>[my domain].com</header_from>
</identifiers>
<auth_results>
      <dkim>
        <domain>protection.outlook.com</domain>
        <result>pass</result>
        <selector>s1_dkim.protection.outlook.com</selector>
      </dkim>
      <dkim>
        <domain>[my domain].com</domain>
        <result>pass</result>
        <selector>selector-[city_of_main_office]-01.[my domain].com</selector>
      </dkim>
      <spf>
        <domain>protection.outlook.com</domain>
        <result>pass</result>
      </spf>
</auth_results>

Notice that the report never mentions MIT.edu domain (which is where I sent the message to).

By seeing the passes in this order, along with the header_from still indicating your domain, it is a near 100% likelyhood that this report is talking about an auto-forward rule that someone has in place. Most important for you, is that a spam report against this message would have minimal effect on your domain; by overstamping their DKIM and passing their SPF, the [unauthorized domain] has accepted send responsibility for this message. At this point the inclusion of the DKIM for your domain is more to prove a chain of custody (we forwarded it without editing it) than to prove who is a spammer.

Ruscal
  • 811
  • 4
  • 7
  • This is identical what I'm seeing in the reports and wanted someone else to confirm this as it's my first time administrating DMARC by myself. Thank you, Ruscal. – euclid4 Jan 09 '19 at 15:26
  • No problem. It takes a few to get used to what some of the more esoteric DMARC reports mean, but do get used to this pattern as you'll see it very often. If your email system isn't on the C/S/TS spectrum, there are also some very good online DMARC analysis services out there that handle figuring all this out for you. You just change your report mailto elements to include an address for their service, and they give you nice pretty reports that even the C-levels can smile at. ( dmarcanalyzer.com and the like) – Ruscal Jan 09 '19 at 15:31
  • Thank you for the resource. I've used quite a few last week, but I haven't thought about using a service yet. Looks like it's something I could really use. – euclid4 Jan 09 '19 at 15:41