The email address of the sender of our newsletter is used for phishing purposes. We do have a valid SPF record (ends with -all) and dmarc on our domain (confirmed by mxtoolbox.com : every checks are green/good). However, some hotmail.com and yahoo subscribers are receiving the bad messages.
Delivered message header example (replaced my domain by mydomain.com):
Received: from AM0EUR02FT053.eop-EUR02.prod.protection.outlook.com
(2603:10a6:203:a3:cafe::24) by AM5PR0602CA0015.outlook.office365.com
(2603:10a6:203:a3::25) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6411.17 via Frontend
Transport; Thu, 18 May 2023 20:00:29 +0000
Authentication-Results: spf=fail (sender IP is 74.220.218.251)
smtp.mailfrom=mydomain.com; dkim=none (message not signed)
header.d=none;dmarc=fail action=quarantine
header.from=mydomain.com;compauth=fail reason=000
Received-SPF: Fail (protection.outlook.com: domain of mydomain.com does not
designate 74.220.218.251 as permitted sender)
receiver=protection.outlook.com; client-ip=74.220.218.251;
helo=outbound-ss-2173.bluehost.com;
Received: from outbound-ss-2173.bluehost.com (74.220.218.251) by
AM0EUR02FT053.mail.protection.outlook.com (10.13.55.226) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.6411.14 via Frontend Transport; Thu, 18 May 2023 20:00:28 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:DA2D70975B34AF56A4C6BB7C8F702F23F79F3DC78ECCEAF1A0837B45D961804C;UpperCasedChecksum:C8456286D1E9561E0C8180B32877B9F796154342C827979774F79B83E92CE58D;SizeAsReceived:2147;Count:30
Received: from cmgw14.mail.unifiedlayer.com (67-20-127-198.unifiedlayer.com [67.20.127.198])
by soproxy8.mail.unifiedlayer.com (Postfix) with ESMTP id C2B028048C4A
for <[email protected]>; Thu, 18 May 2023 20:00:27 +0000 (UTC)
[...]
X-SID-Result: FAIL
X-Microsoft-Antispam: BCL:4;
X-Microsoft-Antispam-Mailbox-Delivery: abwl:0;wl:1;pcwl:1;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;psp:1;auth:0;dest:I;OFR:TrustedSenderList;ENG:(5062000305)(90000117)(90012020)(91020020)(90015022)(91040095)(9050020)(9100338)(2008001134)(4810010)(4910033)(8820095)(9610025)(9525003)(10145022)(9439006)(9310011)(9220031);
[...]
All SPF/dmarc/etc tests fail but the message is still delivered in the inbox. Why is Hotmail letting them through?
Thanks,
X-Microsoft-Antispam-Mailbox-Delivery
header. I guess that user had added the sender address in Trusted senders. Because of this, Outlook skips the SPF/dmarc/dkim auth checks. Thanks for your input.