I recently added a DMARC record for one of my domains. Let's call it mydomain.com
:
v=DMARC1;p=none;rua=mailto:dmarc_reports@mydomain.com;ruf=mailto:dmarc_reports@mydomain.com;fo=1"
I have been receiving reports over the last couple of days, but there are a few records I don't quite understand. For example:
<record>
<row>
<source_ip>217.72.192.73</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
<selector>2014</selector>
</dkim>
<spf>
<domain>srs2.kundenserver.de</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
My SPF record does not include 217.72.192.73
or srs2.kundenserver.de
and I have never heard of or used this server to send emails before, so it's pretty safe to assume this was someone trying to spoof an email from mydomain.com
. It's also understandable that it would report SPF as passed, but unaligned. However, what I'm wondering about is how did this PASS the DKIM?
I have the following entry in my domain's DNS:
2014._domainkey.mydomain.com. IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArbY9HBzct5lz6"
"43Wv4pnudx+Ei6/YKifIr+AIUi5mpNGOYu6P81ooIJozVlY8flLSseurs8CFDuvs1j7FznUyrfVuYE/g"
"6uD17VSaZwqfciW9wBdN25ruM0wRX+9tC7p8IDBUo1hJhrk5ngiwJpz/jpcXmfTjQdbE1M+yMrujUFNC"
"vMqS2YAaAqVYPe4TMgpRum23oZm9PX0iqgkShiUXzNLzTM8NIaWXrHPnBaeKoNChbPZlHPCyvLqbJbRJ"
"L+bj3P7B+9Pey04xbi2SalqH1XNLKU20Nd4wZAQAVHFvUoyj2XAzaOQnRSLavDCUYgBpt/Y9u9oAU+mb"
"Cg2SLWzrQIDAQAB" )
As we can see from the report, the selector that matched is 2014
, which is from this DNS entry.
Since this email was presumably not signed by my server's private key, should this not be a fail
? Could this mean that perhaps someone has gained access to my private key? The weird thing is that there are 5 records for emails that were sent by servers not listed in my SPF record, and ALL of these list DKIM as "passed". I don't have any DKIM failed reports.