1

enter image description here

Pretty new to spf/dkim and dmark.

After setting this up just this morning I already got a report on a new website. Our service eamils our users via sendgrid and the rest of the emails are sent from our google workspace accounts.

Our SPF looks like the following:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Google is authenticing the DKIM records, based on their control panel, I can only "stop authenticating" (How long should it take for google to authenticate a DKIM TXT DNS entry?)

The dmarc dns record looks like:

v=DMARC1; p=none; rua=mailto:noreply-dmarc-support@mydomain.com; ruf=mailto:noreply-dmarc-support@mydomain.com; fo=0;

So based on this I'm not sure if the screenshot report is saying I have things configured wrong, or if someone tried to send an email fraudulently.. and if it is the latter, what should I do about it?

The 2nd IP is making me think I have thinks ill-configured as it comes from sendgrid: https://whatismyipaddress.com/ip/168.245.72.219

John
  • 877
  • 4
  • 15
  • 25
  • I'm not familiar with that interface, but it looks like the report comes from `emailsrvr.com`? Either use a tool like `mail-tester.com` or see if you can figure out whether you sent a message to a domain using that mail server, or find a domain using that mail server, and send them a message using your authorized sending servers. Then see if you can get a copy of the recieved message with headers intact. – Paul Apr 17 '22 at 13:36
  • You have pass on SPF which means that your sender envelope address aligns with with domain of SPF record and DKIM pass which means that signature is correct. You have alignment failures of both SPF and DKIM which very likely means that your sender envelope address does not align with header From: address. And this likely means there is some misconfiguration on your side but it is hard to point it with data you provided. And the above suggestion to check with `mail-tester.com` is worth trying. – Tomek Apr 17 '22 at 19:32

2 Answers2

0

There is not enough information to determine if your configuration is correct.

If someone is sending spam with your domain, then your current configuration could be made stronger to protect your domain's reputation.

The SPF record should use the fail (-all) mechanism instead of the softfail (~all) mechanism.

The DMARC policy should be p=quarantine or p=reject. Note that with p=reject, most receiving servers will silently discard messages, so if you have a configuration problem with sending, then your messages will not even arrive in a spam folder.

Paul
  • 2,755
  • 6
  • 24
  • 35
0

The main issue wie cheap services like mxtoolbox is that they do not offer all the bells and whistles that a solution like proofpoint or ondmarc offers.

In theory, dmarc is easy: you identify all the legit services (use the reporting mode while doing it) and then set proactively the correct spf and dkim and then lock the domain down with moving to p=reject.

in reality it's not that simple. sendgrid can also be used to impersonate a domain without dmarc, so checking this ip as sendgrids does not mean it's coming from you.

my advise would be, if you're a small business to try your best by proactively setting it up and moving to reject, and if you're a bigger business, to invest in a proper solution.

ricknroll
  • 11
  • 1