0

One of the subscribers on the mailhost I run has been receiving scads of spam mail "from himself." With SPF set up and validated on the domain (wickenburg.us) this should not be happening. It is not happening on any of my other domains (though this could be more of a spammer opportunity thing than a technical thing).

The SPF record is simple and severe: v=spf1 a mx ip4:96.125.170.48 -all

Bottom line, all mail "from" wickenburg.us has to come from 96.125.170.48, period.

Examining the full headers of the offending incoming mail, I find that every one contains this line:

Received-SPF: pass (domain of gmail.com designates <spammer's IP> as permitted sender)

"envelope from" is always specified as <>.

I'm at a loss to comprehend this. I've never delegated Google any authority whatsoever to determine what is or is not a valid email from my domain name, and my domain arrangement doesn't involve Google in any way. The fact that anyone is even asking or believing Google's take on the matter seems to violate the entire design of SPF.

What do I need to do to remedy this problem?

EDIT: Here is a sample set of full headers as requested.

Return-Path: <>
Delivered-To: [email protected]
Received: from server.wickenburg.us
    by server.wickenburg.us with LMTP
    id NQs7NHvUvmRPaQAAeQzYKg
    (envelope-from <>)
    for <[email protected]>; Mon, 24 Jul 2023 12:43:55 -0700
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Mon, 24 Jul 2023 12:43:55 -0700
Received: from [195.133.32.101] (port=53352 helo=r97.email.lefebvreelderecho.com)
    by server.wickenburg.us with esmtp (Exim 4.96)
    id 1qO1TI-00070c-0F
    for [email protected];
    Mon, 24 Jul 2023 12:43:55 -0700
Received: by 2002:a54:200c:0:b0:228:543a:1f5a with SMTP id t12csp1618203ecn;
        Mon, 24 Jul 2023 11:29:26 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGFskBq6vD+JptCL7CTitvNTO7/IPxEzuHDPKvHvDjtELTC/rAvYUkkInNXwcGoYqFWzD6p
X-Received: by 2002:a05:6a00:18aa:b0:686:290b:91f7 with SMTP id x42-20020a056a0018aa00b00686290b91f7mr7885971pfh.22.1690223366335;
        Mon, 24 Jul 2023 11:29:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690223366; cv=none;
        d=google.com; s=arc-20160816;
        b=oFTBlj60DutemJU6/VIqaY5SlSLFHaF2lAoDo6mni61DWkkjOgpQ3QUvcTTMtzBOES
         5VwcBZATGpcm1wlErizZ4O/gdyvOFoyB6Tev6tXx2fgISqATbtxeswCrvmQRR7kBw0KY
         oUSpsot28s39ike2WDzqjroLgKH8Z+Z8V7/ETMqJZkX8met8OJ0D6dZ2NC4UVw0GGae0
         U4vlblGbVfQJV+PYHsZPzkkGjNYVQW1jpJT4ytrvMl+UMCaFLFEkxnb1yWr5mviGflzk
         dev+HCwBUmImeYopm6wPWpoT1+Roo9x0y2KiyJJHln6RkKl8nqELyCQbqsmUgsjmJL5H
         tcGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=references:mime-version:subject:message-id:to:from:date
         :dkim-signature;
        bh=wO2NmQIfIA1TETnGAB3LAbdcIcFxJYvNim6ZNUQ7fAQ=;
        fh=jiXLAKdjm0XSnS+zteR+sipnHmR6ae2WQlH3Cpp0Kls=;
        b=nUOq8UzXt9MqhWFF/gfA3ZgRzEC3zOcfx86XAyi+JrsLSSclJpOPsRmWqUNb+3FU5j
         naiZPQabYnOu+Xr1XUrZLWuxZvZQjN6uyQAQ8rkbAGhCgR9WtYUM87GaAu09NwFG9WNV
         cT9JuUzhD76PMvatK24eXP8dsE10XJFgOVjL9bKjxIcq3sFtZ7IFmh9+soZAtDyoFjRq
         MiDvrDS1kaTzlnrJcGXAuIfOGR0aQj1ko7hapKvjwmxYS+P3zmUdaECGGUGTtArfdFyP
         TL/OhFZpWXwwKnIqnbNA4qO3c++YOMPNvCqTO4N5BihZ+7/cfB/UJ61AIt/uj1m2tSLx
         EsSg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=a2048 header.b=gHShi1Su;
       spf=pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
Received: from sonic313-20.consmr.mail.gq1.yahoo.com (sonic313-20.consmr.mail.gq1.yahoo.com. [98.137.65.83])
        by mx.google.com with ESMTPS id j17-20020a056a00235100b0067ea76a7c59si10056277pfj.50.2023.07.24.11.29.26
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Mon, 24 Jul 2023 11:29:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) client-ip=98.137.65.83;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=a2048 header.b=gHShi1Su;
       spf=pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=aol.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1690223365; bh=wO2NmQIfIA1TETnGAB3LAbdcIcFxJYvNim6ZNUQ7fAQ=; h=Date:From:To:Subject:References:From:Subject:Reply-To; b=gHShi1SuWLTUbadusZH0I3/pF9Zov75eYIkvrEzC07efzFmOsjNZFLzppRKVCoQxnbBr1tK+aXBcBlf8xaYme6dhmr0UqvW3WWW6aKMHeVzvqGkjvbEwlStG+NClJr8UEonNTDT1FipCG96FLDHcnBoLn3a6t7o71ExU3KNK329DgZsJIDtwP+wTCjp9KnG0E7YlE7HrUIQz1f+Z6Hw01Hkxc1RC5Wc6DjdAsbFn9b26XRYRdLgcQ9/dpqhO3/sFD5Y5g7xovpVCQ0EqxYv08JAzIXW/K76f88HRVii6uXCw0PfRR5kzuIUGLGutZGc8MYX+/eCAvAyiSEBDYaLUMA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1690223365; bh=w4zS8DeoeACKhNY4awKRnv6pKMGcrBajz8nL7G9ZiKU=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=rF2pfIyVoSWtHaVXNnmlmDfUUwAGkUeSxtzbwcvyRsJyERPaLz4eg6sXxttV6gTc88cdhbh8HKGkkQpsyv59hh16znm14b7gK0ruYUXvL7eqQl7bSexTfEMQpJ7AYl13N5RixcgxC3gPpp6WXdPgZeoXMEsAmT28WOTub9JvPwPJfAsIEq1KW0bON9FfluQI8BoLW7I91t2VB/FQH7FozPJp30kSDDGCkOQHZo5E62G53NVeOjH59B9XBjcrL+yExFV12wL2/LiSud7WYfCn2sce9C0QTN7qT8DAGMGBz9rbeIsh4zz0o+SGKgmD/WEknHWJriOHJF2/awkEHJDR7A==
X-YMail-OSG: 7puKTTQVM1lPe8geVVKv5FKML0FkhsO7xFWqSAvwfjvN7UPm9.30zmsM3Cu3ev_ 3xrsfN_yQsXxdMpPv9gO6t2hLtjFDAjOIhooeRqB24K0daosHkB.ZOOHvoOZ4livS2jtO9JgRkFg y6rrztrGmlg84rf3ratkrsRog14ChShf5QD.ZbLahW9xZ8.X5Xf5nOsM2nYrBMnGCIYO4a.3KKo_ JhorKQBc4usw47v014qlU1YenVUCWTtPueu7Hq1gTbq3_ow8lJBS6uIttw3zmGgQ5G8JlfHxjG.S H2fq59J0zy9rwOPRRh2SRiYa4ChtUsgZXjwS_.2gcgjEKOR1GZJp8ZyGEkYfPyyf5k_DUW4L6ChQ vp35TzHa_YX1LYRBtq.F9GHyjj48T13HDgqEr64zS7pG3K.VYUpjmh9YY5PKAlJzcdXQKw92_Uoe zJm6Y4z7lIpvk57hb.m4xpOWyTz3CSnu4Vuwc9E8K4Own16ay0RVn5NSoOTzDpfSrJeQLeyNIqjT cgbAfM7oJE8yzD9zTT2lB5czc67gFThvpO233fq_d2J8Upn00XhDHehjq3tyY8DcAC_gDQN6Snr9 ezJq3_Ltc_CXWpuake0s21xMM_bzziXTAW0OLDkktGrRbXNf2St6dhTVfb5h_LEUyHIm2tI5vwD8 J6Vlgaw.yDVf3hmgc434fILSmAoBF6YsL_JEzjNUqGArr6duKbA0C6mJUBDhOAtwJmQmpX2qnM2t U5QGi90V4e6icCHW99A5b.Cd8xhVsrkTAjHFjH.FpouEy_YXaL7qqLcwofoOSxKIF6MN1R3vYpHe UblGjGvlP43wVTeobWZyrJIRwu1JHjDQCAKqP50No4l5pAq42tMDvlk.xXHZMpNOYyitVbnr0h4z 6tKrAxwCg5PC3k7Uu1rbJQYUJ8G.AmN0gGEwIcwx3GJK9UN19Y.7hmjOgBYkW2vbOOAkkCZmQRxF LtO8I7749mnf8XuhQepnVkJEMADJM4ehCiNXNKe8PjKwsEJdECCs8TbBmKpl7PLFfbm2x0i93m7f LSJVyiRPsdNU8T1o1iYtsVILPcmc4l38Q4W4UelrlVlaM5QF8qjpV2RnSt3we0beVoAK_OCbWwBQ At2BbtXAAlZs39tUfghWGlffNJRN5SqvQ1Mj_1wmQUgVPjnPw5hQB2WiaEpiA2.TImTPKahE5QPv H2Qm9VnAvYapI1LIIU8XtRduh4GuuhoO0I3uzuVbrlHsY3_1LXQ6TDsACudfHQ7wd0rkUSagIfc8 WOGYk0koei37nXoCoQynpzF3vZqmYqdXt2JQtWxiQn.eYPIOVphBVXt.38b0Vg13TVDyTswTyni5 MlFxmylTmUZ_z2pjM.J6c0uJTuPTPngLfKq1t_oYwBOPK_vJvAuMs2igGEiphUKpAYrlDTltjcCB giW65zX6ptzH9XHPDhMYmERihn8Eb9xBBEq9gULIqUxtXPGD_5Bo74nxuUe.hJErsFoX1f1ha86h n9A5KlNBHv.WdGtnGvD7POFcuQvua1V.9DjDNRvE4Bb5OuHjfeyxnJ1ptRdmpcuAOQyqSfDkaTjl NPXHNUcIa_yrd7qo9_UDJ0YZggeDa8ZLlwcsxpmdSJJNFzuBMq4ReS1lUFXaMAbsqtBt2SsqJ_qy ptd39hUt0O0eUt0bzcOIpRCz3tpHAMeV6pZTHP9MFIff3wylfw0CqsQOMb72AH0IBhapQVQondul tDsQeVZ0MONMsg2Ht5ZZFXo4ZMPTNgbavAIBEHwiCEpMxQi158gBHl29QMkNQoHXpf7GQk_zvL_r EHrXSMYpCLEf6C4Dzx7DtLZNLEUxrD22Bv5rjRfJ_eAyG0eieagEElpJw9vOzCmR1HWibbHcCwJZ 7cLimvB7m1M08bfnRCsDHDRNqKvPW85M7ArkIn_z.0uY9TTRsQJP4RoY9ZHORXpUOs5_gw9C_zF4 NnwNhSzNZTUZExMw6Fv9drwb7M4374d0CNEVvc3beA.9GOsvCAdEHc.ZeYAjtIrWg2l3kEytNTXr 99_2s0DPsdh2yTxQNn.hjZV.OPJXOu.YslCU10bXhda6SXmkksxiflWX.Je6uMOympV75O95V9yx 8pPt0LB4JOZksmWX2eqagURWZyWoo4UePK3WOEOEjXXIYcn4-
X-Sonic-MF: <[email protected]>
X-Sonic-ID: 456c4d8d-0730-4054-accf-2cbd298fff0b
Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.gq1.yahoo.com with HTTP; Mon, 24 Jul 2023 18:29:25 +0000
Date: [email_date]
From: DEWALT GENERATOR Rewards <[email protected]>
To: DEWALT GENERATOR Rewards <[email protected]>
Message-ID: <[email protected]>
Subject: You have won an Portable Power Station
MIME-Version: 1.0
Content-Type: text/html;
X-Mailer: WebService/1.1.21647 AolMailNorrin
Content-Length: 518
X-Spam-Status: No, score=-83.3
X-Spam-Score: -832
X-Spam-Bar: ---------------------------------------------------
X-Ham-Report: Spam detection software, running on the system "server.wickenburg.us",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Portable Power Station View in a web browser ANSWER & WIN 
 Content analysis details:   (-83.3 points, 8.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
                             bl.spamcop.net
              [Blocked - see <https://www.spamcop.net/bl.shtml?195.133.32.101>]
 -0.0 USER_IN_WELCOMELIST    User is listed in 'welcomelist_from'
 -100 USER_IN_WHITELIST      DEPRECATED: See USER_IN_WELCOMELIST
  1.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  5.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  1.1 INVALID_DATE           Invalid Date: header (not RFC 2822)
  2.2 KAM_STORAGE_GOOGLE     URI: Google Storage API being abused by
                             spammers
  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily
                             valid
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
  0.8 KAM_INFOUSMEBIZ        Prevalent use of
                             .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life
                              domains in spam/malware
  3.0 KAM_DMARC_REJECT       DKIM has Failed or SPF has failed on the
                             message and the domain has a DMARC reject
                             policy
  0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                             Alignment
  0.1 DKIM_INVALID           DKIM or DK signature exists, but is not valid
  2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
X-Spam-Flag: NO

EDIT 23-07-29: After enabling "Allow DKIM verification for incoming messages" and "Reject DKIM failures" in EXIM, this spam is still slipping through. Another sample from today:

Return-Path: <>
Delivered-To: [email protected]
Received: from server.wickenburg.us
    by server.wickenburg.us with LMTP
    id aP37DDdixWQvYwAAeQzYKg
    (envelope-from <>)
    for <[email protected]>; Sat, 29 Jul 2023 12:02:15 -0700
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Sat, 29 Jul 2023 12:02:15 -0700
Received: from [194.169.163.37] (port=48087 helo=judithwilliams.com)
    by server.wickenburg.us with esmtp (Exim 4.96)
    id 1qPpCi-0006ap-2c
    for [email protected];
    Sat, 29 Jul 2023 12:02:15 -0700
Received: from njmta-20.sailthru.com (173.228.155.20) by theskimm-d.sailthru.com id h568ie30nt87 for <[email protected]>; Sun, 2 Apr 2023 10:23:40 -0400 (envelope-from <[email protected]>)
Received: from nj1-farmelon.flt (172.18.20.31) by njmta-20.sailthru.com id h567uo1qqbs5 for <[email protected]>; Sun, 2 Apr 2023 10:21:46 -0400 (envelope-from <[email protected]>)
Date: Sat, 29 Jul 2023 20:55:21 +0200
From: Ninja Foodi Dual Air Fryer Shipment <[email protected]>
To:jones<[email protected]>
Message-ID: <[email protected]>
Subject: Celebrating KOHL'S anniversary with an Ninja Foodi Dual Air Fryer
Content-Type: text/html;
X-Feedback-ID: 7595:31029321:campaign:sailthru
X-TM-ID: 20230402102146.31029321.5494280
X-Info: Message sent by sailthru.com customer theSkimm, Inc
X-Info: We do not permit unsolicited commercial email
X-Info: Please report abuse by forwarding complete headers to
X-Info: [email protected]
X-Mailer: sailthru.com
X-JMailer: nj1-farmelon.flt
X-Unsubscribe-Web: https://link.theskimm.com/oc/6425b794e3ea9af00b0a1cabih2dl.39rew/65c2f250
List-Unsubscribe: <https://link.theskimm.com/oc/6425b794e3ea9af00b0a1cabih2dl.39rew/65c2f250>, <mailto:[email protected]>
X-rpcampaign: stlgd31029321
X-IncomingHeaderCount: 23
X-MS-Exchange-Organization-ExpirationStartTime: 02 Apr 2023 14:28:55.6663
 (UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
 288d6423-ae50-4862-9ac8-08db33869718
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic:
 CO1PEPF00001A5F:EE_|DM4PR15MB5994:EE_|PH0PR15MB4479:EE_
X-MS-Exchange-Organization-AuthSource:
 CO1PEPF00001A5F.namprd05.prod.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-UserLastLogonTime: 4/1/2023 10:53:49 PM
X-MS-Office365-Filtering-Correlation-Id: 288d6423-ae50-4862-9ac8-08db33869718
X-MS-Exchange-EOPDirect: true
X-Sender-IP: 192.64.237.81
X-SID-PRA: [email protected]
X-SID-Result: PASS
X-MS-Exchange-Organization-SCL: 2
X-Microsoft-Antispam: BCL:1;
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2023 14:28:55.4163
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 288d6423-ae50-4862-9ac8-08db33869718
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-AuthSource:
 CO1PEPF00001A5F.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR15MB5994
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.1967716
X-MS-Exchange-Processed-By-BccFoldering: 15.20.6254.030
X-Microsoft-Antispam-Mailbox-Delivery:
    abwl:0;wl:0;pcwl:0;kl:0;dwl:0;dkl:0;rwl:0;ucf:0;jmr:0;ex:0;auth:1;dest:I;ENG:(5062000305)(90000117)(90010023)(91010020)(91040095)(9050020)(9100338)(4810010)(4910033)(8820095)(9910022)(9545005)(10170022)(9320005);
X-Message-Info:
    qZelhIiYnPkx84CNH6AeQs2r1mfbx475RiI5K0+Xb2fvrntBfTJ10N2zNIvcvtf7VgXmo/rIiDQIXO6S3rtSdn/H4xrzDv+I2RFpBW+pxB4yhwf8VqBxAb2oTJ+jKAPjknpLKx0rGhWF/Oowozp6RA==
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0tMQ==
X-Microsoft-Antispam-Message-Info:
    =?utf-8?B?Mnl1bmdsSDZzUmVmV3BTMVk4SHdPZEtHK3IrZzd3OTZhMFNUQW5kd2ZuSjZl?=
 =?utf-8?B?dVFNSThmd3V4S3RBMTMzamVYLzBBK2FhT2VlKzllNXBuTnZpU2lHektDY0s0?=
 =?utf-8?B?c244d1FLM2diZjF4YS9TRnFEZ1Q3OUUyWXVzRzkxY21IMlgreGJhWmx0a0tq?=
 =?utf-8?B?T3NGK1YvRUV1V3ZPeHNON3FlUjhQcVpNM2VXNFhnaEFMQ3hxODlORkNUMkVk?=
 =?utf-8?B?WU1Yc1lSRno0NTZuMmhNdVlNQXB6ZDAvSFRJVGtnUVNrekJkcnQ5SGJvektM?=
 =?utf-8?B?Rk1wZ2xsWHg0ZnlVOS9GNjYweW90clFDOHR5QlpDMFpEVlZOMHMzNjFGREFF?=
 =?utf-8?B?cmpYV3A5NVdHTFF4Z1FYbFIzY2ZtNk9jTGx2cGgvb3RCTmx3ZFFyZ3pPMHoy?=
 =?utf-8?B?ajEyVFlQaGw2cEU4WGJBUUthbTdPd28xakEwWnpUUE80M2lPUE5ueHVGMlhX?=
 =?utf-8?B?TlZhMHZPeHNNMjVDSEdVRDc4VzI3NHhJZTd1YktVL0JiTVk3eXZ6UXRucHQy?=
 =?utf-8?B?UFdWaWI2dEMrdSsvWWZ2UGJXMktKWEJwNkN6MTMvOUEycDl0aDROa2cxdSs4?=
 =?utf-8?B?Szk1T3ZZd3NrR3NQYjJOYlNNTittN0lCRCtzNVBiZllDNnlXMXVJVVZPYnQr?=
 =?utf-8?B?eTRHZEthVkZJUmJJL1VRTm4rL2pkOFQyWGJldkdoajBsQ1BLWjkybjNoeGRl?=
 =?utf-8?B?T09Kc3NXL3NWNFptbXNBWmxNalVFN2dSUEU1cnJ6RlJBc3N5SHl6cjI4cm5Y?=
 =?utf-8?B?U04rNFVXQXRTeDVlV1VYS01EdlhITnZGQ2V4MHk3Tlc3UUFvNFVON3poNjhF?=
 =?utf-8?B?aGQweVB4cUZMbVJjbGp3RkpIRy9lb3VsSG9xV0lzRE1ReHJDN1NuMVJlNHFT?=
 =?utf-8?B?ZDZIWHBKYmVvbnVWMDZNM1FIdTV2VXVRTFdVVnlBYWhXdDJnK0t1R2xGUmhO?=
 =?utf-8?B?ckxacDlpc3FSdFB2QnBvL1c4QWdIZHZqTTAvMVZwWCtoWFdKNHZkbGQvZHNV?=
 =?utf-8?B?Mm4xVTdIcGxrUjYyR1RkSFAxUzRkdDJaa2R5cUdDNmZGYXdjT245VzZtTmVO?=
 =?utf-8?B?ajJmMEIzWW1wd0NoaVMvMXdvZG4rYitCSkJjSXF5N0pMVUtZRTlBYnQ4blJW?=
 =?utf-8?B?VERyN2JYQnRTc0d3a2VmQk9lSlRNYitmc3hqWXZXRlZieTVubHlidk44Vi9N?=
 =?utf-8?B?T1JEdFUvdXdKV28vVGNXZS8vNk1Ield4QXVDK2pWV2hlMGpUYmVIdE9LbWZs?=
 =?utf-8?B?dGh2K1dtTGJYNVlNUXR2dlFQUU1DVDAyYng2d2dVcVZHRFVVRXhsOW9uSzlT?=
 =?utf-8?B?Nk1RaXo4NXppdkdYVkUwSzl6MTBDU0NpdERWcUJSbndTb2VPbGpyRkw4Witu?=
 =?utf-8?B?U3pDaDA5N1RtVU51Q1FuMXR0K1BkUDRJVVhib1hkNFBmT3BXS0pESnV6enNZ?=
 =?utf-8?B?YkxYYi9sMTVNTk1zNUtyWlhqZS9ncWRBZ3JZT1JsalpWYko4QlBRUDlBSVVV?=
 =?utf-8?B?MExjbDRkbnNwOTdkVHRQSkJPcEl5RFk0VDFJcHpNTlljeGhpcTQreFIycVhZ?=
 =?utf-8?B?WmFsWVQ0NWZjbFUwejZsc2ZSR3piSEhENHEyRFhWc0p1YWdXYnE3ZkQzZUVH?=
 =?utf-8?B?bStzVEpya3FmR3hlMytCV1J2bEJFczBibGdFb0FXZVI5UnMrVUsrb3MxSm1Y?=
 =?utf-8?B?cDEwYkZWQmxDa0p6VlpyTklLcFRvbEZvbjg2ekZkOExFMzF5aHFGdFhTdkMr?=
 =?utf-8?B?MTlyNVJCMk5RSnBHakI5Z2RpK3RQeXFZWnFuM2tKL01WanRLOExjbG0yOU9j?=
 =?utf-8?B?WEU2MDBZVUp0M0RrNm9GQTdQYS90cmgrQk82amkzNW1hWUQ1RFJiam1ZdnNB?=
 =?utf-8?B?RnpqNTlSVEJDWjMvWHFBN1pON1NHQ0N0SytBaTBRdk5lc2J3RHlIQTIvKzk5?=
 =?utf-8?B?Ukl2eXhuQ2RrWlEzSW56dmpXcE1RR1lpbzNLc3FLOGROSEtNdjZNSC84cEFq?=
 =?utf-8?B?TytxQXJZM1c5Q0oydTlqQm9WZU9EWit4cTFROWlQU1NXWGpTclVwRHBTanZ2?=
 =?utf-8?B?MXhidTJsV2lpQzlMMjBsMlY2RWY5OFg4MDNHRHlqU2t5L2JaVnljWDdGL2cz?=
 =?utf-8?B?SklNbGkvQTFjNDFRTXBpdG5qTDJ2VUJ5T1NNNG5UMjJnZkZqaUMyNE5XZXZM?=
 =?utf-8?B?eEpOQXNudDZ1OXBoZ0ZpSElhMmp1REhXWXc3M2ZtQUsyMzR5UlNIc3ZKN3l6?=
 =?utf-8?Q?qcKDW4HCjVPrHtn4gWjXVkbSpDYXPioQL4WfHFfG6w=3D?=
MIME-Version: 1.0
X-Spam-Status: No, score=-77.6
X-Spam-Score: -775
X-Spam-Bar: ---------------------------------------------------
X-Ham-Report: Spam detection software, running on the system "server.wickenburg.us",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  Celebrating KOHL'S anniversary with an Ninja Foodi Dual Air
    Fryer If you no longer wish to receive these emails, you may unsubscribe
   by clicking here click here to remove yourself from our emails list 
 Content analysis details:   (-77.6 points, 8.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: baxarfnar.bond]
  0.6 URIBL_PH_SURBL         Contains an URL listed in the PH SURBL blocklist
                             [URIs: baxarfnar.bond]
  1.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
                             bl.spamcop.net
              [Blocked - see <https://www.spamcop.net/bl.shtml?194.169.163.37>]
 -0.0 USER_IN_WELCOMELIST    User is listed in 'welcomelist_from'
 -100 USER_IN_WHITELIST      DEPRECATED: See USER_IN_WELCOMELIST
  1.0 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                             [score: 1.0000]
  5.0 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                             [score: 1.0000]
  1.5 SPF_HELO_SOFTFAIL      SPF: HELO does not match SPF record (softfail)
  2.2 KAM_STORAGE_GOOGLE     URI: Google Storage API being abused by
                             spammers
  0.0 HTML_IMAGE_RATIO_02    BODY: HTML has a low ratio of text to image
                             area
  0.0 HTML_MESSAGE           BODY: HTML included in message
  0.0 HTML_FONT_SIZE_LARGE   BODY: HTML font size is large
  0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
  1.8 PYZOR_CHECK            Listed in Pyzor
                             (https://pyzor.readthedocs.io/en/latest/)
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
  0.8 KAM_INFOUSMEBIZ        Prevalent use of
                             .info|.us|.me|.me.uk|.biz|xyz|id|rocks|life
                              domains in spam/malware
  0.4 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML
                             tag
  0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                             Alignment
  2.0 RDNS_NONE              Delivered to internal network by a host with no rDNS
  3.0 KAM_DMARC_REJECT       DKIM has Failed or SPF has failed on the
                             message and the domain has a DMARC reject
                             policy
  2.7 GOOG_STO_NOIMG_HTML    Apparently using google content hosting to
                             avoid URIBL
X-Spam-Flag: NO
1
  • That indeed seem a bit strange... As if Google trusts aol.com's ARC signature, but confuses the DKIM-Signature with d=aol.com as an ARC signature. Commented Jul 26, 2023 at 15:09

2 Answers 2

3

Generally

SPF only protects the envelope sender. You would need a DMARC policy to protect the domain used in the From header.

Ideally, you would use DMARC with p=reject and both DMARC+SPF & DMARC+DKIM alignments to ensure all legitimate mail gets through.

As discussed in the comment, your DNS was set up correctly for SPF, DKIM & DMARC. This protects your domain on systems performing the checks.


To answer this case with the help of the added full headers...

Your server does not perform the SPF/DKIM/DMARC checks

The Received headers as well as the Authentication-Results headers are always added at the beginning of the headers, meaning they are in reverse order; the first ones are the newest. This seems like the first Received header added by your server:

Received: from [195.133.32.101] (port=53352 helo=r97.email.lefebvreelderecho.com)
    by server.wickenburg.us with esmtp (Exim 4.96)
    id 1qO1TI-00070c-0F
    for [email protected];
    Mon, 24 Jul 2023 12:43:55 -0700

Your server does not seem to add any Authentication-Results suggesting it may not perform those checks correctly. The message is actually coming from 195.133.32.101, and the SPF check would only matter if it had wickenburg.us as the envelope sender. Therefore, it should only pass DMARC if it passes with an aligned DKIM signature. However, your server does not check DKIM nor DMARC. The results would be either right below or above this header.

I am not an expert with Exim. The documentation Chapter 58 - DKIM, SPF, SRS and DMARC has all the relevant instructions on how to setup those protocols for incoming mail.

The Authentication-Results present are spoofed

Everything below your own Received headers comes from the previous hop and are as is. You should not trust any of those headers. They are probably all just fake, which has caused this confusion in the first place.

Trusting the headers would, e.g., allow bypassing OpenDMARC checks by forging Authentication-Results.

What could be trusted?

You could trust some of the previous authentication headers if you had configured trusted Authenticated Received Chain (ARC) intermediates (RFC 8617). For example, if you expect forwarded email through Gmail, you could trust their ARC that is cryptographically signed. Spoofed headers like these would fail this check.

The ARC-Seal and ARC-Message-Signature works similarly to DKIM signatures; once you trust the intermediate, you can validate the ARC-Authentication-Results with these signatures and then trust them without performing new validation, which would fail for DMARC+SPF schemes because of the forwarding. As DKIM signatures typically survives forwarding, DMARC+DKIM would work even without the help of ARC.

8
  • I should have mentioned (sorry that I didn't) that the site does in fact have DMARC and DKIM configured as well -- properly, to the best of my knowledge. My attention was simply drawn by the header line that claimed SPF was allowing the mail. I'm continuing this issue in more detail in a response to the reply below.
    – Macs R We
    Commented Jul 26, 2023 at 14:33
  • This might be a problem in the SPF checks of the receiving system as the configuration in the DNS of wickenburg.us seems ok. I can see you have DMARC too, which is excellent. Commented Jul 26, 2023 at 14:59
  • So does your comment imply that if some relay in the mail chain applies bogus checks accidentally or deliberately, my own host's SPF/DKIM/DMARC becomes essentially impotent? That would be a pretty basic design flaw. (I could see spammers latching onto it.)
    – Macs R We
    Commented Jul 26, 2023 at 15:51
  • Now I understood the issue here. The headers are spoofed. I have updated my answer accordingly. Commented Jul 26, 2023 at 18:07
  • 1
    Thank you so much! The kernel is your observation that our EXIM was not making DKIM checks. I had no idea I needed to "teach the mailer its job," I thought having the proper DNS records set up worked "automatically." Configuration at our provider is done via WHM/cPanel, so all the compile flag advice was noise to me. I examined the EXIM config panel and found two flags: Allow DKIM verification for incoming messages and Reject DKIM failures They were off; I turned them both on. Let's see if that stops the problem (and hopefully doesn't newly reject a whole lot of valid mail).
    – Macs R We
    Commented Jul 26, 2023 at 18:36
2

Check the message headers you'll likely see two different sender addresses.

The From: entry will match your user's email, but that header entry is only used in the email client to display the email address, it isn't used by the servers delivering the email to you.

The other address will be using a completely different domain, and on that domain the senders IP address will match the SPF record for their domain. I suspect if you check path that the email took to get to your user, you'll find the senders email went via Gmail, which is why you see an SPF result from them, and then onto the final destination.

So the SPF record you have setup for that domain is never looked at, because as far as the servers checking it are concerned the email didn't come from wickenburg.us it came from somewhere else.

For context, you see the same thing with legitimate emails very often. For instance emails from Amazon. I received one yesterday from them, and the email in my client shows it as coming from

From: "Amazon.co.uk" <[email protected]>

and yet digging into the headers I find that the actual sender address, eg the one that servers look at to determine what to do with the email is

20230724082216068fc30d3fcf4ede9fbe164dda0p0eu-C182GINBTAROME@bounces.amazon.co.uk

It's a really annoying side effect of how email works, and how email clients handle things. Personally I'd love to see email clients do something to make it easier for users to see and examine when the two addresses don't match, especially when the domain's used are different. There are legitimate reasons why, but it should be more transparent... especially since there's no realistic way to change how the servers handle them.

1
  • 1
    I follow your valid point. As I mention above, the line that caught my attention was that SPF was allowing the mail. The example I selected to include in my original complaint was ambiguous, to be sure, but other mail headers in this string of spam are more specifically concerning, to wit: Received-SPF: pass (google.com: domain of [email protected] designates 98.137.65.83 as permitted sender) client-ip=98.137.65.83; Note that it denotes "domain of [email protected]" who is the victim, not the envelope sender. I will publish complete headers for this mail as requested earlier.
    – Macs R We
    Commented Jul 26, 2023 at 14:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .