How is this email passing DMARC?

Question

Today we received a spoofed email: it was sent to us "from us". (Assume we own foo.com -- real domain redacted.)

This is disturbing, as it shows as "from foo.com", yet the sender is definitely not from "foo.com".

The mailbox "hello@foo.com" is a Google Group, set to allow anyone to "publish posts" (i.e. so people on the internet can send it messages, like a regular mailbox) but only members of "foo.com" can view those "posts" (i.e. the received emails).

We have DMARC (p=reject), DKIM and SPF configured.

Our DNS:

TXT foo.com                   "v=spf1 include:_spf.google.com include:helpscoutemail.com ~all"

TXT _dmarc.foo.com            "v=DMARC1; p=reject; rua=mailto:dmarc@foo.com;ruf=mailto:dmarc@foo.com; pct=100; aspf=r; adkim=r;"

TXT google._domainkey.foo.com "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."

The message's headers:

Delivered-To: john@foo.com
Received: by 2002:ad4:552d:0:0:0:0:0 with SMTP id ba13csp6199730qvb;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-Received: by 2002:a05:6102:a46:: with SMTP id i6mr23802281vss.19.1639329284522;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1639329284; cv=pass;
        d=google.com; s=arc-20160816;
        b=WReYbvjEI4p+IYx6Y3fT/N5jiaEEA60C4t/3utW/afsQbsrWaMMeWv51lxVOb/HvIx
         oLaSaK6Hskbjeo9rUnYYIlZEnT9ME4Gf/1tfyVXC+YTRBsBEWHCKr064RzBS9X8LUr2C
         Mo++Fm16blzUIgR8wZoq54WwY7ZK6POjEOXWqUqvKsJOk6GyrAgxza2DrKJsOYCFBu2G
         wzH+gfyx7HwCSNzcd+u18ByLyzXLs1vPW7/T5ztP5v+02QHLTG2snvrrW8TwWpGtDLt3
         zU8oGksIcHluHiQwYS056Prsa7/4rHng9D9QNIP6AjlamZejEAlAZjlbajLt4xM17Ozn
         Xt8A==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-archive:list-help:list-post:list-id
         :mailing-list:precedence:reply-to:to:message-id:subject:date
         :mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=qHESIMBiX+DsyurBJ3jkT1tBYiQGFfvjr57xoDFsgoF/KhZNtVfb1JjwT/klZN/Phu
         NoXTTYULEP9j64ynhf6ug1ACwgUqoFieD3fsMpBhO6PrnwjxxU/E8c8TH2eJNR5/SiQm
         9k9/PCH1Vr48EjXGwfBCDV18bkwCyZnYfBGHoskl3EM0WeTIoA3x8s8EGUc4+TSRXUhq
         +tA+2fbTJlofwk5z0Oga5fICZVcPeKPTWSltaXuuUOgpViq9JWbVkWx7+HonhJxzzMw0
         o7LcUhOXfQHutnKRs/Xpaa73AwDgT30QtEn0T1JBnl2Vl9RjH9+nhdWxHjQ0QLdEDPB3
         Xkdw==
ARC-Authentication-Results: i=3; mx.google.com;
       dkim=pass header.i=@foo-com.20210112.gappssmtp.com header.s=20210112 header.b=pcMriXR7;
       arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
       spf=pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
Return-Path: <hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])
        by mx.google.com with SMTPS id v33sor3392168uad.28.2021.12.12.09.14.44
        for <john@foo.com>
        (Google Transport Security);
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
Received-SPF: pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@foo-com.20210112.gappssmtp.com header.s=20210112 header.b=pcMriXR7;
       arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
       spf=pass (google.com: domain of hello+bncbd5zzup4wumbbbg43cgqmgqewk3xn7i@foo.com designates 209.85.220.69 as permitted sender) smtp.mailfrom=hello+bncBD5ZZUP4WUMBBBG43CGQMGQEWK3XN7I@foo.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
ARC-Seal: i=2; a=rsa-sha256; t=1639329284; cv=pass;
        d=google.com; s=arc-20160816;
        b=A2s3aYE1vCQIscDH9RsEl6k0DGqxlZiSGi1iQgz57BP+AWIVt5X9b7nyraOJ8F6DPL
         tga5EsK1KrNHLURbQTBSO+pyg862afsmkhS/VFD3sBxSj6hhnc4oCpVJ3rPUWVxSE5IB
         z4NH0ujDotd4dBNBReOsLfetWC0BeyV6nvHfENuJM+PcpR2vO42O3zWARnvq0wtqZYPd
         eBbEJcfX5V6dGi7K9a5I4s+Hrz4V5VNQO8772L+lDQyRdthazJiKgKmB+jX+rztxflIM
         r9efmFXPwO8t3LVtqOzPFfQJqQiMJ9en62O4ZUwbdKxdLzx8Iw9BLVVm0SkDFpXIQTod
         lU2Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-archive:list-help:list-post:list-id
         :mailing-list:precedence:reply-to:to:message-id:subject:date
         :mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=fXMcTPuKuu1Ahb/4kHcUPsbwEnwqaLpheL7AOFtyzp7FKfdBOErXZFdf1zCbmSX7S1
         Gi3D/zlXgcSAmHFUj1eOeuZwaUp3IWo2pkQiN5aMJ9oLlWaEbC/JLsthY8uh0zUSIuX/
         +Wdwjdpy1ZglE49PhkqGrFEr8ND1O/m8ETTHF1M9LhzWwR1c42MM3N17hUFMHcF4x6oz
         nq8M+JQy0V+Foz5AKXPRJGedCgpwGGBcRgoMW+xn/UaSgH1TgHiK82cL6Xy3ScisHeLo
         Wadb7qdxrMKrpn2H5ZvH0rq2VEvTNrLfrxKqO79a4WoohanhBf9Y/5eUckK2pm4nrHNC
         DWhg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=foo-com.20210112.gappssmtp.com; s=20210112;
        h=content-transfer-encoding:from:mime-version:date:subject:message-id
         :to:x-original-sender:x-original-authentication-results:reply-to
         :precedence:mailing-list:list-id:list-post:list-help:list-archive
         :list-unsubscribe;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=pcMriXR70y9+xfVEs+8AoajJ0xymE3UTgGyG2NmKWWjdf05SzeYGX8w1GX3rVZ1hG+
         QGcKfhU2Ra9bmXS2sAz2g8iDtWvnoTj+TDFnMs9OWFWSLRLr/wqDqSKnQGrCUr2Y/k/f
         Q9j7R5eV2nwkYa1XIRAAJaanwMw/y5uDSv04a7bf4itRHQWv3sBD0YaK7KW9X3/UhUOc
         5sKMmmK44qVb3NMkOQdureAtqPhUthfkVfQJElPAAUh1LtMy7lyS1g1KqGcUzm1D2WaY
         wI6UkGWu9smajIb7O2SPVCCOPPCurlGWKD9eC6xdz9Av1qZZlMIyn+eNJDSik9JnG7/w
         aFiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:content-transfer-encoding:from:mime-version:date
         :subject:message-id:to:x-original-sender
         :x-original-authentication-results:reply-to:precedence:mailing-list
         :list-id:x-spam-checked-in-group:list-post:list-help:list-archive
         :list-unsubscribe;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=AwA9C6EysiLXrTEGUbzx+5vqODTMTskz7zHz2xe1quctysAvVhk58jn1xx322hfhh1
         yqXDXN/aE2MZwMrS++nikbt7lAJZfoNdpV8rKMgc0lb98yXjnd4n3tidH68eVp0cTVE2
         IYeKviGklV95rwOCQXuooqAKzN9/UJwGtH3C/NYZQnZQrGcFuIe5L5f5taRW/lby9IBN
         5u+rTEBn1UaNjDAVX13MbSpN6hjMGNmr1GaFiFSmnBeMBIH0pOzT3+UIR16Sza5unglm
         vkGD5OxPZGdH+fujwjjqrwjvmZSA1k9AhEvujR8B4FpgxGCreExueBMJcmWatPeSpmBO
         fjEA==
X-Gm-Message-State: AOAM531eWx5fz9pqU8qZS4uNtUeKxraKEAR9y1v6gcqUG3XiMb0qBByI FhppMXUtlC8OQUQYY5dXRcAfUe4+
X-Google-Smtp-Source: ABdhPJxynnRydm4JBkMLYoGgqV5RwhkwWcH4Z4w/ljLx6E0GPOqp9cSaCwpFSv4oC456afPUA5CYQA==
X-Received: by 2002:ab0:c10:: with SMTP id a16mr37954454uak.51.1639329284212;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-BeenThere: hello@foo.com
Received: by 2002:a05:6102:2454:: with SMTP id g20ls4382592vss.4.gmail; Sun, 12 Dec 2021 09:14:43 -0800 (PST)
X-Received: by 2002:a05:6102:508c:: with SMTP id bl12mr23055020vsb.73.1639329283746;
        Sun, 12 Dec 2021 09:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1639329283; cv=none;
        d=google.com; s=arc-20160816;
        b=0ToKjpZRQyjPknycN2z3IfIE1Iv7fkhCJbCVUn129k6GVlQVRq7t1xSCqEXMUpWfbb
         vdYNomuAczbfJOR/0o4gBaiPYM4l2L8A8BgUcx2LW26PPeMg1OKO6xexmcO0Qu79Vp+4
         23N3Alz3gRrG44HSkGQ13CwkukROblWgUMZ72U4nO30y0w38NZk4y1aPTPhV+TuFDWsY
         RLSYc3eLKdExhzkmnEgtyDKI/kHLZ++mgu4aFbK6SB4b8uB6v4onz7ONR+/BTGVwcnIs
         pOC6Xv6GwfBXu839bAhi94H83xV7QD5NFWuh0gMm445CzVz09zeesh89Qxcm/U/fKKI0
         6jbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:message-id:subject:date:mime-version:from
         :content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=VMzdwjpJVsJyaKxFawsaBAj83gW8hSdi5iOxGMCrQaQ39h5lkhZAM/cc4rtc3RbAt3
         ZmpKTQ0Pdgb+MgpaIOT6X5szReSt7ZVMNsjsKOe2tkfhaC94azGx4H1MdopSdDnPqZoB
         wvlUU3H16eWofWXcgKNj236adKuN0x3rzeTAKCCjNjwNfOOg5H5Y//pTOtqHc+A3XQjP
         HsGhTohABGTAy68aVCBeHeh/2R5NRy+KuI7ipqkcwO6uPpnue4mMP7B6JtGjDOaiDJXs
         7wZ/G3p4fuJPCSeQWuPD6YzK+0dg3cw5GpNQHLib70Q6g41Ws70727llGEc0Ef89B+o/
         z8BQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Received: from st43p00im-zteg10073501.me.com (st43p00im-zteg10073501.me.com. [17.58.63.180])
        by mx.google.com with ESMTPS id x11si6141232vss.670.2021.12.12.09.14.43
        for <hello@foo.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 12 Dec 2021 09:14:43 -0800 (PST)
Received-SPF: pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) client-ip=17.58.63.180;
Received: from smtpclient.apple (49.sub-174-209-97.myvzw.com [174.209.97.49]) by st43p00im-zteg10073501.me.com (Postfix) with ESMTPSA id 49D5FAE07BE for <hello@foo.com>; Sun, 12 Dec 2021 17:14:42 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "'The Spammer' via Hello" <hello@foo.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 12 Dec 2021 12:14:40 -0500
Subject: Helping what I already have!
Message-Id: <3CBA8D0D-9028-4F28-90B7-397243A8D5A8@icloud.com>
To: hello@foo.com
X-Mailer: iPhone Mail (19B74)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.11.62.513.0000000 definitions=2021-12-12_06:2021-12-08_01,2021-12-12_06,2021-12-02_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 clxscore=1011 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=485 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2112120106
X-Original-Sender: Thespammer@icloud.com
X-Original-Authentication-Results: mx.google.com;
       dkim=pass header.i=@icloud.com header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of thespammer@icloud.com designates 17.58.63.180 as permitted sender) smtp.mailfrom=thespammer@icloud.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Original-From: The Spammer <thespammer@icloud.com>
Reply-To: The Spammer <thespammer@icloud.com>
Precedence: list
Mailing-list: list hello@foo.com; contact hello+owners@foo.com
List-ID: <hello.foo.com>
X-Spam-Checked-In-Group: hello@foo.com
X-Google-Group-Id: 138202709934
List-Post: <https://groups.google.com/a/foo.com/group/hello/post>, <mailto:hello@foo.com>
List-Help: <https://support.google.com/a/foo.com/bin/topic.py?topic=25838>, <mailto:hello+help@foo.com>
List-Archive: <https://groups.google.com/a/foo.com/group/hello/>
List-Unsubscribe: <mailto:googlegroups-manage+138202709934+unsubscribe@googlegroups.com>, <https://groups.google.com/a/foo.com/group/hello/subscribe>



Sent from my iPhone

Why is this email being allowed through?

Is it that icloud.com (the sender's SMTP server) doesn't honour DMARC, so accepts the email, then forwards onto gmail, and gmail assumes that icloud.com did the initial DMARC checks so doesn't bother? (Sorry, I'm very green in this area.).

Answer 1

I won't claim to be an expert on this, but the IETF pages for the X-Original-From header seem to imply this is expected behaviour when sending an email to a Google Apps mailing list.

Google Apps currently implements "aliases" as Google Groups (this has been true for a number of years now, prior to that there were separate aliases and groups). Because of this, a support@twitter.com address that redirects to internal users or an external CRM tool (salesforce) would be getting a groups rewritten message. These messages will not pass DKIM due to the rewriting, and so if they're from a DMARC p=REJECT/QUARANTINE domain such as yahoo.com, the from header will be rewritten to be the group name (support@twitter.com) and the x-original-from will be the original sender.

Have you checked the Google DMARC pages to see if the troubleshooting steps help you?

Given the spammer is sending from an iCloud address can you update the policy to block based on that X-Original-From header?

EDIT: re-reading the question, I don't think it is being spoofed - I think Google Apps' rewriting of the 'from' address is intended/default behaviour. Have you tested sending an email to the mailbox from a non-domain email address (e.g. throwaway hotmail account or similar)? Do you get the same behaviour?