Getting Spoofed - DMARC , DKIM and SPF are properly setup (AFIK)

Ask Question

Asked 9 months ago

Modified 9 months ago

Viewed 42 times

I have been testing my DMARC policy for some weeks and I ran into this issue. Background:

SPF - setup and working
DKIM - set up and working (AFIK)
DMARC - set up and working - looking for alignments and reject set to 100

For the most part, this is working great. Rejects the spoofers with only one exception. A video creation company (with a track record of spamming) is able to spoof my email when going through Google.

Here is a sample record. Assume "example.com" is my company and "(spoofing domain).cc" is the spoofer. I get why the pass SPF as that has to do with Google's forwarding. I don't get how they pass DKIM.

<record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
        <selector>selector1</selector>
      </dkim>
      <spf>
        <domain>(spoofing domain).cc</domain>
        <result>pass</result>
      <spf>
    <auth_results>
  <record>

asked Sep 6, 2023 at 14:19

mat

DKIM is either working (your assertion) or not working (error report). Since we can't see the config, we can't validate your assertion.
– symcbean
Commented Sep 6, 2023 at 14:34
When DKIM is correctly configured the private key is only available on the corresponding server. So, either it's your server who signed the mail, or your private key is compromised. There is no other way for DKIM to pass. Either way is a huge problem which absolutely needs to be addressed.
– Nikita Kipriyanov
Commented Sep 6, 2023 at 15:20
Thanks. this is the information on DKIM and DMARC in my DNS. _dmarc has this value: v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;adkim=s;rua=mailto:[email protected],mailto:[email protected];ruf=mailto:[email protected];fo=1; selector1._domainkey has this value: selector1-example-com._domainkey.example.onmicrosoft.com
– mat
Commented Sep 6, 2023 at 15:23
domain key is CNAME leading to some domain owned by someone else? You're not the admin of the mail server in question? So ask your mail service provider how it's possible that spoofed mail got signed. And, generally, direct other questions about your mail you have to their support too.
– Nikita Kipriyanov
Commented Sep 6, 2023 at 15:51
Nikita - Thanks. We use Microsoft 365, BTW.
– mat
Commented Sep 6, 2023 at 16:33

Add a comment |

Stack Exchange Network

Getting Spoofed - DMARC , DKIM and SPF are properly setup (AFIK)

0

You must log in to answer this question.

Browse other questions tagged
dkim
dmarc
spoofing
.

Hot Network Questions

Getting Spoofed - DMARC , DKIM and SPF are properly setup (AFIK)

0

You must log in to answer this question.

Browse other questions tagged dkimdmarcspoofing.

Related

Hot Network Questions

Browse other questions tagged
dkim
dmarc
spoofing
.