-1

I received an email from a company that looked fine. Gmail deemed it ok. I checked the domain and the various DMARC, DKIM and SPF headers: they are all in "PASS" status. The sender's IP also seems to be within the range of those declared by the SPF record.
But, after contacting the company by phone (out of scruple), they state that they were NOT the ones who sent the email. Here an extract of the checks (by obfuscating the real company):

...
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
...
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@<company_domain> header.s=selector1 header.b=idsPd4vx;
       arc=pass (i=1 spf=pass spfdomain=<company_domain> dkim=pass dkdomain=<company_domain> dmarc=pass fromdomain=<company_domain>);
       spf=pass (google.com: domain of <company_mail_address> designates <ipv6> as permitted sender) smtp.mailfrom=<company_mail_address>;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=<company_domain>
...
Received-SPF: pass (google.com: domain of <company_mail_address> designates <ipv6> as permitted sender) client-ip=<ipv6_same_as_above>;
Authentication-Results: mx.google.com;
       dkim=pass ...
       arc=pass ...
       spf=pass ...
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=<company_domain>
...
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=<company_domain>;
...
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
...

Now, my question is: do all the checks above in "PASS" state, mean that the email was actually sent from a company's mail server? Does this mean that their mail server considered the sender client as a valid one?

1 Answer 1

2

This is impossible to analyze without the full headers. There could be many reasons for this. Some educated guesses can be made.

As the message has passed the DKIM validation the source is likely authentic – assuming the redacted domain is not a look-a-like domain. As this is a phishing message, the most likely scenario is that someone from the company was a victim of the same phishing campaign and as a result the mailbox was hijacked to send more phishing mails. This is an effective method because the message seems to come from a trusted source you might even personally know.

A passing SPF without passing DKIM might have been related to a too allowing SPF policy. Therefore, DMARC+DKIM is always stronger than DMARC+SPF, and DMARC requires only either one to be aligned. (To enforce DKIM with DMARC+DKIM only, the domain used for envelope sender should be different from the mail header, causing SPF to pass without DMARC alignment).

And finally, criminals can do all the same things non-criminals can. They can buy a domain, setup a mail infrastructure with all SPF, DKIM & DMARC, build a web site that looks trustworthy and professional etc. We cannot assess the reliability of an anonymous company. On the other hand, it would not be our burden, even if the company and domain were revealed.

1
  • Thanks @Esa Jokinen for the very clear and esaustive explanation! I'm propense to agree with your statement: "the most likely scenario is that someone from the company was a victim of the same phishing campaign and as a result the mailbox was hijacked"... Because all the validations look really authentic.
    – sqrt-1
    Commented Mar 12 at 19:48

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .