In preparation for publishing a strict DMARC policy, I've:
- Published a reporting-only policy.
- Gathered nearly 2 months' worth of reports and uploaded them to dmarcian.
- Started analysing them and looking for usage problems which need to be remediated first.
A problem that I have is that dmarcian's reporting on forwarders is rather confusing to me. Below is an example regarding Google (the blurred-out sections are references to my domain name):
I understand that emails sent from my domain to recipients can be automatically forwarded by their email system to subsequent ones.
What I don't understand is why my domain name is listed under From: Domain
(MIME-level 5322.From AKA "header" address) when I don't recognise the domain names listed under DKIM d=
, DKIM selectors
, and SPF Domain
.
I've read the following articles but none have answered this particular question for me:
- https://dmarcian.com/how-does-dmarcian-identify-sourcesforwardingthreat/
- https://dmarcian.com/phishing-leaves-a-dmarc-trail/
- https://www.dmarcanalyzer.com/email-forwarders-dmarc/
Does it mean, for example, that an email was sent to datadoghq.com which was forwarded to Gmail or an email was sent to Gmail which was forwarded to datadoghq.com? Is any of this even relevant to me?
Can anyone advise?