0

DMARC is reporting that a small fraction of our emails originate from google, microsoft, and some other providers.

DMARC is also reporting that a good chunk of those emails fail both SPF and DKIM, and therefore fail DMARC.

We don't use those providers to send emails, so guessing those stats reflect forwarded emails and spoofs.

Obviously SPF would fail for forwarded and spoof emails, but is it possible some legit DKIM headers get mangled in transit?

Question,

Does it make sense to include google and microsoft's SPF hosts in our SPF record to help pass DMARC for those forwarded emails, even if we don't use them to send emails?

I'm reluctant to do that as it's against the spirit of SPF and will help spoofers.

Or can we be pretty certain that those failed DMARCs reflect spoofs and in most forwarding cases DKIM headers are passed around intact?

3
  • 1
    [email protected] sends an email to [email protected]. [email protected] forwards the email to [email protected]. Bill receives the email from [email protected], not from [email protected]. So no, forwarded emails don't calculate into this.
    – joeqwerty
    Commented Oct 21, 2023 at 16:24
  • @joeqwerty I didn't mean that kind of forward which is manual or set up as a rule. i meant routing services like the one cloudflare offers. gmail also has that and i use it myself in gws.
    – rvh
    Commented Oct 21, 2023 at 16:34
  • Well that isn't forwarding then and you should specify that in your question. Any entity that sends email as your domain or on behalf of your domain should be included in your SPF record. Google Workspace and Cloudflare Email Routing will both have information on what you need to add to your SPF record when using those services.
    – joeqwerty
    Commented Oct 21, 2023 at 16:56

2 Answers 2

2

Absolutely not. Sounds like SPF/DKIM/DMARC are working exactly as intended for you.

Your SPF record should only include hosts that you actually use to send from using your domain.

Those reports showing Microsoft and Google source emails almost certainly relate to spam messages that are using those services, so the last thing you want if for 3rd parties to receive spam email "from" your domain, do lookups on your SPF record and then accept those messages because your DNS records tell them it must be legitimate.

The only other scenario I can think of is if someone in (or working for) your organisation using using a Microsoft / Google service without your knowledge, and sending email using one of those services. In which case for now they'll fail to be delivered until they inform IT what they're doing so you can add the appropriate record. But I'd never go adding SPF records based on DMARC reports, only when I KNOW that legitimate emails really are coming from there.

Also note, forwarded emails wouldn't cause that scenario as that's not how forwarding works, unless a user was stupid enough to get their email from your domain forwarded to say their Google account, AND then set the Google account to forward emails elsewhere as well. But forwarding like that isn't recommended, and IMHO if those emails don't reach the intended recipient that's an issue for the person poorly setting up forwardings, not you and your entire organisation.

0

Keep your SPF record as simple as possible—don’t overcrowd it with too many authorized sending sources. Loading your SPF record with multiple hosts can result in errors, causing email receivers to ignore your messages. This can affect your sender reputation and deliverability rates.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .