0

I have been testing my DMARC policy for some weeks and I ran into this issue. Background:

  1. SPF - setup and working
  2. DKIM - set up and working (AFIK)
  3. DMARC - set up and working - looking for alignments and reject set to 100

For the most part, this is working great. Rejects the spoofers with only one exception. A video creation company (with a track record of spamming) is able to spoof my email when going through Google.

Here is a sample record. Assume "example.com" is my company and "(spoofing domain).cc" is the spoofer. I get why the pass SPF as that has to do with Google's forwarding. I don't get how they pass DKIM.

<record>
    <row>
      <source_ip>209.85.220.41</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>example.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>example.com</domain>
        <result>pass</result>
        <selector>selector1</selector>
      </dkim>
      <spf>
        <domain>(spoofing domain).cc</domain>
        <result>pass</result>
      <spf>
    <auth_results>
  <record>
5
  • DKIM is either working (your assertion) or not working (error report). Since we can't see the config, we can't validate your assertion.
    – symcbean
    Commented Sep 6, 2023 at 14:34
  • When DKIM is correctly configured the private key is only available on the corresponding server. So, either it's your server who signed the mail, or your private key is compromised. There is no other way for DKIM to pass. Either way is a huge problem which absolutely needs to be addressed. Commented Sep 6, 2023 at 15:20
  • Thanks. this is the information on DKIM and DMARC in my DNS. _dmarc has this value: v=DMARC1;p=reject;pct=100;sp=reject;aspf=s;adkim=s;rua=mailto:[email protected],mailto:[email protected];ruf=mailto:[email protected];fo=1; selector1._domainkey has this value: selector1-example-com._domainkey.example.onmicrosoft.com
    – mat
    Commented Sep 6, 2023 at 15:23
  • domain key is CNAME leading to some domain owned by someone else? You're not the admin of the mail server in question? So ask your mail service provider how it's possible that spoofed mail got signed. And, generally, direct other questions about your mail you have to their support too. Commented Sep 6, 2023 at 15:51
  • Nikita - Thanks. We use Microsoft 365, BTW.
    – mat
    Commented Sep 6, 2023 at 16:33

0

You must log in to answer this question.

Browse other questions tagged .