2

I set up DKIM, DMARC and SPF on my domain/server a few years ago, and never touched it again since then.

Here are my DNS records (my domain is mydomain.com and my IP addresses are 1.1.1.1 and 2001::1):

mydomain.com.   0   TXT     "v=spf1 mx a ptr ip4:1.1.1.1 ip6:2001::1 include:_spf.google.com ?all"
dkim._domainkey.mydomain.com.   0   TXT     "v=DKIM1; k=rsa; t=y; p=mykey;"     
_dmarc.mydomain.com.    0   TXT     "v=DMARC1; p=none; sp=none; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com; rf=afrf; pct=100; ri=86400"

I assumed that the configuration was OK, because DMARC reports I've been receiving for all this time seemed to be fine. An example of legit and valid DMARC report I received a few days ago:

<feedback>
    <report_metadata>
        <org_name>google.com</org_name>
        <email>noreply-dmarc-support@google.com</email>
        <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
        <report_id>XXX</report_id>
        <date_range>
            <begin>1570579200</begin>
            <end>1570665599</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>mydomain.com</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>none</p>
        <sp>none</sp>
        <pct>100</pct>
    </policy_published>
    <record>
        <row>
            <source_ip>1.1.1.1</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>pass</dkim>
                <spf>pass</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>mydomain.com</header_from>
        </identifiers>
        <auth_results>
            <dkim>
                <domain>mydomain.com</domain>
                <result>pass</result>
                <selector>dkim</selector>
            </dkim>
            <spf>
                <domain>mydomain.com</domain>
                <result>pass</result>
            </spf>
        </auth_results>
    </record>
</feedback>

Now the problem

For the first time ever, and for two days in a row, I've been receiving DMARC reports from mail.ru for emails I'm sure I didn't send. Although these DMARC reports show that both DKIM and SPF verifications failed (this should be reassuring, right?), I'm a bit worried of what it actually means. I've also checked my postfix logs, but nothing showed up.

This is the report I received this morning:

<feedback>
    <report_metadata>
        <org_name>Mail.Ru</org_name>
        <email>dmarc_support@corp.mail.ru</email>
        <extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info>
        <report_id>XXX</report_id>
        <date_range>
            <begin>1571443200</begin>
            <end>1571529600</end>
        </date_range>
    </report_metadata>
    <policy_published>
        <domain>mydomain.com</domain>
        <adkim>r</adkim>
        <aspf>r</aspf>
        <p>none</p>
        <sp>none</sp>
        <pct>100</pct>
    </policy_published>
    <record>
        <row>
            <source_ip>50.205.119.150</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>somesubdomain.mydomain.com</header_from>
        </identifiers>
        <auth_results>
            <spf>
                <domain>somesubdomain.mydomain.com</domain>
                <scope>mfrom</scope>
                <result>neutral</result>
            </spf>
        </auth_results>
    </record>
    <record>
        <row>
            <source_ip>46.225.251.206</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>somesubdomain.mydomain.com</header_from>
        </identifiers>
        <auth_results>
            <spf>
                <domain>somesubdomain.mydomain.com</domain>
                <scope>mfrom</scope>
                <result>neutral</result>
            </spf>
        </auth_results>
    </record>
    <record>
        <row>
            <source_ip>66.208.117.227</source_ip>
            <count>1</count>
            <policy_evaluated>
                <disposition>none</disposition>
                <dkim>fail</dkim>
                <spf>fail</spf>
            </policy_evaluated>
        </row>
        <identifiers>
            <header_from>somesubdomain.mydomain.com</header_from>
        </identifiers>
        <auth_results>
            <spf>
                <domain>somesubdomain.mydomain.com</domain>
                <scope>mfrom</scope>
                <result>neutral</result>
            </spf>
        </auth_results>
    </record>
</feedback>

Is there something I should worry about?

Foo
  • 23
  • 3

2 Answers2

3

Although these DMARC reports show that both DKIM and SPF verifications failed (this should be reassuring, right?), I'm a bit worried of what it actually means.

The main point of a DMARC report is to get notified when somebody tries to spoof your domain. This is what happened here. Since your policy is explicitly "none" the mail got likely delivered like any other mail. If you don't want this use a policy of "reject" or "quarantine".

I've also checked my postfix logs, but nothing showed up.

Your postfix logs can show only mails which were send from or delivered to your mail server (MTA). If a sender gets spoofed the MTA originally responsible for the spoofed domain is not involved in the delivery of the mail and thus you cannot see anything there.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks for your explanations. I've updated my policy to "reject". Hope these spoofing attemps will stop now! – Foo Oct 20 '19 at 11:05
  • @Foo: Spoofed mails will only be rejected when the receiving mail server actually checks the DMARC policy. I think Google, Microsoft and Yahoo do this but many other don't. – Steffen Ullrich Oct 20 '19 at 11:07
  • Yeah I get this, but I don't think there's anything else I can do to prevent spoofed emails on my domain, no? Scammers are not accessing my server, they don't have my credentials, they're just sending emails from their own servers pretending to be me. Is there something I can do to prevent this? – Foo Oct 20 '19 at 11:12
  • @Foo: *"Is there something I can do to prevent this?"* - This depends on the impact of spoofing to your domain. If the impact is high you might start to digital sign all your mails (i.e. PGP or S/MIME) and make this publicly clear so that users will not fall for any unsigned mails. This offers much better protection against spoofing but is also much harder to implement than DMARC both for sender and recipient. – Steffen Ullrich Oct 20 '19 at 15:24
0

I see this question has been marked as answered, but has it really?

Of course DMARC is also meant to block spoofers, but at the same time, the aggregate reports are there to give you insight...

In your case, if you look up a random IP address for emails sent from subdomain.mydomain.com you'll find that it belongs to comcastbusiness.net. Subdomains are often used by external parties to send some newsletters or other messages on your behalf.

Are you sure about who is allowed to send on behalf of your domain and how these servers are set up? By moving your policy to reject you, just maybe, are killing 'legitimate' email. Of course, these IP addresses should then be included to the SPF for the subdomain they are sending from and preferably have DKIM signing as well.

In large companies that are run in a decentralized way or have departments run shadow IT, it is quite normal to find unidentified legitimate mail flows. Then the search begins.

Reinto
  • 223
  • 1
  • 6