2

We've received several rua reports indicating that one of our direct competitors is sending emails with our domain in the mail from headers.

I do not have access to the actual emails sources, and I have no idea what would cause this. The one cause I can think of is that somebody at the competitors company is sending out emails on our behalf (a conclusion I hope we can discredit).

Relevant rua report section:

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  (...)
  <record>
    <row>
      <source_ip>209.85.220.69</source_ip><!-- mail-sor-f69.google.com -->
      <count>2</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>fail</dkim>
        <spf>fail</spf>
        <reason>
          <type>local_policy</type>
          <comment>arc=pass</comment>
        </reason>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>[our domain].com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>[competitor domain]-com.20150923.gappssmtp.com</domain>
        <result>pass</result>
        <selector>20150923</selector>
      </dkim>
      <spf>
        <domain>[competitor domain].com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

So, my question is:
What can cause this to happen? Is there normal behaviour that could cause these reports? Is this the result of legitimate email traffic? or is this an indication of malicious behaviour somewhere?


Side note
I'm unsure what the section means.

  (...)
  <reason>
    <type>local_policy</type>
    <comment>arc=pass</comment>
  </reason>
(...)
Reading up on DMARC `arc` leads me to suspect it may be caused by email forwarding but `arc` should make sure the DKIM headers would still be available for authentication? In which case the forwarded email should not `fail` the DMARC policy?
Jacco
  • 7,402
  • 4
  • 32
  • 53
  • Also notice that it doesn't really matter whether aligned DKIM or SPF passes or not, because you have `none`; with a `p=none` policy every message will be delivered regardless. – Esa Jokinen Jan 24 '21 at 10:20
  • @EsaJokinen, yes, but I would still like to know what's happening with email claiming to be sent from our domain. – Jacco Jan 24 '21 at 10:30
  • It is hard to tell what the cause of the problem is without having access to the mail. But it does not necessarily need to be intentional harmful. For example there might be some technical mailing list which someone at your company is on and which incidentally is hosted by your competitor - which isn't that unusual. And a common problem with mailing lists is that they often try to distribute mails as is with the original sender in `From`. – Steffen Ullrich Jan 24 '21 at 12:32

1 Answers1

0

If you're sure that all of your legit mail passes DMARC, including the header FROM domain (example.com) and MAIL FROM (Envelope FROM) domain, something like em.example.com are in alignment, that is, both have example.com as the organizational domain, then you could try a more aggressive DMARC policy to p=quarantine (asks mailbox providers to route non authentic mail to spam) or p=reject (asks mailbox providers to reject any mail that's not authenticated).

Do you know about many emails per week that aren't passing DMARC, say, from this competitor go out? Are any of your email streams, ones that you send failing DMARC? Are any of your own mail streams that are failing DMARC OR SPF?

It's important to be very careful when moving to a more aggressive DMARC policy but if someone seems to be spoofing your domain, then you might consider cutting that off.

Do you feel comfortable calling this competitor or otherwise asking them if there's some misconfiguration on their side whereby they are mistakingly using your domain?

Neil Anuskiewicz
  • 126
  • 3