1

In preparation for publishing a strict DMARC policy, I've:

  1. Published a reporting-only policy.
  2. Gathered nearly 2 months' worth of reports and uploaded them to dmarcian.
  3. Started analysing them and looking for usage problems which need to be remediated first.

A problem that I have is that dmarcian's reporting on forwarders is rather confusing to me. Below is an example regarding Google (the blurred-out sections are references to my domain name): enter image description here

I understand that emails sent from my domain to recipients can be automatically forwarded by their email system to subsequent ones.

What I don't understand is why my domain name is listed under From: Domain (MIME-level 5322.From AKA "header" address) when I don't recognise the domain names listed under DKIM d=, DKIM selectors, and SPF Domain.

I've read the following articles but none have answered this particular question for me:

Does it mean, for example, that an email was sent to datadoghq.com which was forwarded to Gmail or an email was sent to Gmail which was forwarded to datadoghq.com? Is any of this even relevant to me?

Can anyone advise?

mythofechelon
  • 877
  • 3
  • 22
  • 38

1 Answers1

0

The report is about email delivered to google, having your domain in the header-from and not passing both dkim and spf alignment.

Looking at the first line of the report:

  • these are email sent by datadoghq.com (the dkim signature was theirs and spf was valid for this domain)
  • these email contained your own domain in the header-from field

In this case this looks like legit email traffic and could be solved by an include statement in your spf record or by changing the configuration of whathever service they are providing in a way that the header-from is not spoofed by them or by configuring a dkim signature on your domain for these email.

The following three lines are similar. They seem to be legit services spoofing your header-from.

The last three lines look rubbish and I wouldn't care. This is probably unlegit email that should be blocked by DMARC.

Rodolfo Saccani
  • 99
  • 4
  • That's how I would have read it but (1) those types of emails should appear under `DMARC Capable` or `Non-compliant sources`, not `Forwarders`, as far as I'm aware and (2) no one knows anything about those services being used to send emails. Thanks. – mythofechelon Oct 30 '20 at 09:54
  • They are probably under "forwarders" just because the dkim signature is intact. Have a look here: https://dmarcian.com/how-does-dmarcian-identify-sourcesforwardingthreat/ – Rodolfo Saccani Nov 02 '20 at 16:53