0

I recently added a DMARC record for one of my domains. Let's call it mydomain.com:

v=DMARC1;p=none;rua=mailto:dmarc_reports@mydomain.com;ruf=mailto:dmarc_reports@mydomain.com;fo=1"

I have been receiving reports over the last couple of days, but there are a few records I don't quite understand. For example:

  <record>
    <row>
      <source_ip>217.72.192.73</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>2014</selector>
      </dkim>
      <spf>
        <domain>srs2.kundenserver.de</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>

My SPF record does not include 217.72.192.73 or srs2.kundenserver.de and I have never heard of or used this server to send emails before, so it's pretty safe to assume this was someone trying to spoof an email from mydomain.com. It's also understandable that it would report SPF as passed, but unaligned. However, what I'm wondering about is how did this PASS the DKIM?

I have the following entry in my domain's DNS:

2014._domainkey.mydomain.com.   IN  TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbY9HBzct5lz6"
    "43Wv4pnudx+Ei6/YKifIr+AIUi5mpNGOYu6P81ooIJozVlY8flLSseurs8CFDuvs1j7FznUyrfVuYE/g"
    "6uD17VSaZwqfciW9wBdN25ruM0wRX+9tC7p8IDBUo1hJhrk5ngiwJpz/jpcXmfTjQdbE1M+yMrujUFNC"
    "vMqS2YAaAqVYPe4TMgpRum23oZm9PX0iqgkShiUXzNLzTM8NIaWXrHPnBaeKoNChbPZlHPCyvLqbJbRJ"
    "L+bj3P7B+9Pey04xbi2SalqH1XNLKU20Nd4wZAQAVHFvUoyj2XAzaOQnRSLavDCUYgBpt/Y9u9oAU+mb"
    "Cg2SLWzrQIDAQAB" )

As we can see from the report, the selector that matched is 2014, which is from this DNS entry.

Since this email was presumably not signed by my server's private key, should this not be a fail? Could this mean that perhaps someone has gained access to my private key? The weird thing is that there are 5 records for emails that were sent by servers not listed in my SPF record, and ALL of these list DKIM as "passed". I don't have any DKIM failed reports.

Mike
  • 669
  • 2
  • 9
  • 25

1 Answers1

3

When you see DKIM=pass but SPF=fail (IP is not in the range covered by SPF record) that may indicate that your mail has been auto-forwarded by server which IP you see in XML report.

In your particular case, one of your email recipients has mailbox on 1&1 hosting (kundenserver.de domain belongs to them) and that mailbox has active forwarding to some other address.

If you look on value in "org_name" tag (aggregate reports feeder) you will know who was the final recipient of email. A few of possible values, you may see: "google.com", "Yahoo! Inc.", "AMAZON-SES", "comcast.net", "emailsrvr.com", "FastMail Pty Ltd", "Mail.Ru"...

So, no need to worry about. Also, you can always re-generate DKIM key for mails signing and update DKIM public key in DNS, if you suspect that your private key leaked.

To make life easier, I would recommend to deploy one of DMARC reports processing and analyzing solutions, listed on DMARC.org website:

When you deploy DMARC for your domain, you will get an overall picture of all email sources, used for sending emails from your domain, including SPF, DKIM and DMARC authentication statuses.

I may suggest you to try EasyDMARC, because use it since early 2018.

Zonder
  • 84
  • 4
  • Thank you for the explanation. I was already using EasyDMARC. It's great. However one more quick question, if I set the DMARC policy to quarentine or reject, will this affect messages that have been forwarded like this? – Mike Aug 06 '19 at 18:03
  • Reject / Quarantine is being applied to mails which fail both SPF and DKIM checks. So for messages like in your particular case, applied polIcy will be NONE – Zonder Aug 07 '19 at 13:51