Score:0

Why did this incoming email get through Office 365 spam filters with a DKIM fail? What policy do I need to "tune"?

my flag

We use Office 365 mail, I got this spam email this morning so I checked the header to see if there was anything I could do. Here is the header with our receipt domain removed

Received: from DB6PR01MB3829.eurprd01.prod.exchangelabs.com
 (2603:10a6:6:52::25) by PAXPR01MB9291.eurprd01.prod.exchangelabs.com with
 HTTPS; Tue, 10 May 2022 02:17:42 +0000
ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
 b=EeGi0lrMprVF98QNcErMivV15SlCGfKOkWEjmPF6RvL4rtMscNmuzA0Do6xVi7W2VL14YtJE0cS2MQzJgsNnh2x2b3fkVMGb+L3mqCyhYvfpphI21XkeOLzjiuJaLexSA1TK6bChcboiF1sP+KI+G/gfGbzfWdzt3mhABec4s/98qZTQGjCe50IuXc0F46ILAEbIXjl1S1pmKLQnKi5j9BFhdwtITVWlIzY7ZiCFng+1mHKigKFDPTyeEiw7ttsm3oviZe1VLP+yy0lvUMPilZ6q7myeBYm9hAb53MWIrYNmX9aevyxV0TpC39uTOK3u9pYH2MZ7fZlm4xX5Ppo/8A==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=MfogbEoTECE7pnnCdWfNTaPrbyhjph3ZMKGUlMoJEC9pu//dHDOMF07eiTsT3t5tba1ghfgbe2xZEZqg7azDGULAznA9eTzsjSnhnveCVt1thqLWnQLXh/T3/BOgpwQb8nCjVoq6p3KuBUXrObEWxqu07csivgli0UAiOS4UUVInWOX93PlMWL9APXrNRuOQzRBPrr84cg/XQhKWhxjMjtyoHH/VIvykTkEk/3mtuAdDjWseunvhqbD8K1b4pjrE4zycJNvTuo/+ZuV3YuFAfnEXcnQu/fmshdFMvWaEGAAK4Lex8O1P564OeW2XibLPAzqzy4aREtMWmAz2iKdmGQ==
ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
 52.100.172.225) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=pass (0 oda=0 ltdi=1)
Received: from AS9PR06CA0338.eurprd06.prod.outlook.com (2603:10a6:20b:466::32)
 by DB6PR01MB3829.eurprd01.prod.exchangelabs.com (2603:10a6:6:52::25) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.24; Tue, 10 May
 2022 02:17:40 +0000
Received: from VE1EUR01FT092.eop-EUR01.prod.protection.outlook.com
 (2603:10a6:20b:466:cafe::a6) by AS9PR06CA0338.outlook.office365.com
 (2603:10a6:20b:466::32) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20 via Frontend
 Transport; Tue, 10 May 2022 02:17:39 +0000
Authentication-Results: spf=pass (sender IP is 52.100.172.225)
 smtp.mailfrom=columbiacentral.edu; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com;dmarc=none action=none
 header.from=biglifejournal.com;compauth=softpass reason=202
Received-SPF: Pass (protection.outlook.com: domain of columbiacentral.edu
 designates 52.100.172.225 as permitted sender)
 receiver=protection.outlook.com; client-ip=52.100.172.225;
 helo=NAM11-DM6-obe.outbound.protection.outlook.com;
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (52.100.172.225)
 by VE1EUR01FT092.mail.protection.outlook.com (10.152.3.140) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.15 via Frontend Transport; Tue, 10 May 2022 02:17:39 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=Q5rpXKAdNS+0d9NAcPdgg6yieRqMW+KRK56NvHARZ4dvDoZFK3ySOALeF/i9hUzI42iCy0O8N39lvyCdQqVsh1ZRKOfp/yVtfpa+crSVPK2TK/DezxAE0TxWMewLdzGDhWUXugtGjgvNArKyHBS84F2rsOpDZRMfs1Yo8BJXZw3qT5bLFu1TkCU1sZvnzO7fNomw6exzWksgwRLCiQyigO26zDT99562VKyMLxSo0jW24mxN948jAg9vtGu5M95gunA+fRSJUu26E6pjhpS3ESkrcETmi074jwsIHPRts8NV9zZTNlnkigxKxqCGnbYgNiDqNRNK8eicLHn3nZht9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=j+q7sHypXOlRowsbB0TbvBhGeqo6NZcgUYskR6DrTJPVsaNOdxldABCpIYBtnRZpytb8NaleVgX84hn+wqy5as3e1845BoDH2jANfo5D6geIh3Vofc8VE7GykIOjyq93qgxLkfsdd20iU9gsgwMln8yZ0OUvSFR4tBeDXTcSOB0JT0pMq/iF+qiyva6TgwUA5XhHCwnpu0w1IkdHGlAAZpLkRAyiaqgf6dduuwqmz9Blu/wsgeAUSEE+djSXNoiFnWTaF03/lC7iANlqlQLELSw6d/lfNtozYKaZ9l4uHiYe+aoVk9LaowjlQkEWLw/ZAQ7XL6fUizHvmUpLcZYhog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=temperror (sender ip
 is 2603:10c6:1:12::22) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=columbiacoedu.onmicrosoft.com; s=selector2-columbiacoedu-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=bT0lBDUtXDKcbaYKPzBcpv5vTzkI2emJ1pBGfaTd3x6neulCygKlzvKyHKYGlQlefNOrPONvGwR4V1yGol3jN/x2z6VwPq5+eHxvM9Apc/7zrdfEfOlCnaiM2mYScqeP/1qcKlgPUjJZQ+vpA/Djhp3XL+zdzWCJNfbjMC46VMs=
Received: from MW2PR16CA0035.namprd16.prod.outlook.com (2603:10b6:907::48) by
 BY5PR02MB7044.namprd02.prod.outlook.com (2603:10b6:a03:232::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.20; Tue, 10 May
 2022 02:17:37 +0000
Received: from MW2NAM12FT006.eop-nam12.prod.protection.outlook.com
 (2603:10b6:907:0:cafe::9c) by MW2PR16CA0035.outlook.office365.com
 (2603:10b6:907::48) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.23 via Frontend
 Transport; Tue, 10 May 2022 02:17:36 +0000
X-MS-Exchange-Authentication-Results: spf=temperror (sender IP is
 2603:10c6:1:12::22) smtp.mailfrom=columbiacentral.edu; dkim=fail (signature
 did not verify) header.d=ksd1.klaviyomail.com;dmarc=none action=none
 header.from=biglifejournal.com;
Received-SPF: TempError (protection.outlook.com: error in processing during
 lookup of columbiacentral.edu: DNS Timeout)
Received: from bouttecontour.cloud (195.58.39.136) by
 MW2NAM12FT006.mail.protection.outlook.com (10.13.180.73) with Microsoft SMTP
 Server id 15.20.5250.8 via Frontend Transport; Tue, 10 May 2022 02:17:36
 +0000
Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by
 ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40
 +0000
Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by
 SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000
Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com
 (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com
 (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend
 Transport; Sun, 8 May 2022 04:00:37 +0000
Authentication-Results-Original: spf=pass (sender IP is 168.245.125.63)
 smtp.mailfrom=send.ksd1.klaviyomail.com; dkim=pass (signature was verified)
 header.d=ksd1.klaviyomail.com;dmarc=none action=none
 header.from=biglifejournal.com;compauth=pass reason=102
Received-SPF: Pass (protection.outlook.com: domain of
 send.ksd1.klaviyomail.com designates 168.245.125.63 as permitted sender)
 receiver=protection.outlook.com; client-ip=168.245.125.63;
 helo=o1401.shared.klaviyomail.com;
Received: from o1401.shared.klaviyomail.com (168.245.125.63) by
 SY4AUS01FT005.mail.protection.outlook.com (10.114.156.159) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.5227.15 via Frontend Transport; Sun, 8 May 2022 04:00:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ksd1.klaviyomail.com;
    h=content-type:from:mime-version:subject:reply-to:list-unsubscribe:to;
    s=m1; bh=ignkFy+p5H/cOKl305fEybl8jB7GJjbHDFUzuCHPfgY=;
    b=Sje97uAIGDZXT68b/atMmmyhc+HymmKzq6VYL9DqX8vLCaPc2D+5ZQ5oNx03m+QsjMqk
    ZgR+dA3mpPMpCDZKEA8KnkBqLfjcEy/yVW5UNh6QgUWDBl+Rw8Hf+zLSBWtAbJj+l4FaXL
    FsqsMZ45T6+SyssDqFLGm2aFlK7TFXoSY=
Received: by filterdrecv-587b769b88-2bpk5 with SMTP id filterdrecv-587b769b88-2bpk5-1-62774062-56
        2022-05-08 04:00:34.371597831 +0000 UTC m=+2700818.931010760
Received: from MTk3MDQ3Mzc (unknown)
    by geopod-ismtpd-1-5 (SG) with HTTP
    id Rs3WzlZyRbmab0T598cUNQ
    Sun, 08 May 2022 04:00:34.261 +0000 (UTC)

What stands out to me is the DKIM fail:

 52.100.172.225) smtp.rcpttodomain=************************
 smtp.mailfrom=columbiacentral.edu; dmarc=none action=none
 header.from=biglifejournal.com; dkim=pass (signature was verified)
 header.d=columbiacoedu.onmicrosoft.com; dkim=fail (signature did not verify)
 header.d=ksd1.klaviyomail.com; arc=pass (0 oda=0 ltdi=1)

What 365 policy should I tweak to tighten picking up on these DKIM failures?

EDIT: I threw this through a header analyzer and there are TWO DKIM failures in there:

dkim:ksd1.klaviyomail.com:m1  

Dkim Public Record:
k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6L9gyFVAyoilbWhRbDZp+S8sFyNK4ACBgovgHxfbrutEet95U/CaL0mUnhv4VmkbIK7vUM2lsZl5rqLMQf5FGapvT3lWYQOgWBtl2USeDDr5Y+LzaHA1XZ+5NVf+l6sAFRaKeabsIKidXfxkdDALgIOIdmF3WV+VI4TvMRo90hQIDAQAB

Dkim Signature (this is a failure):
v=1; a=rsa-sha256; c=relaxed/relaxed; d=ksd1.klaviyomail.com;
 h=content-type:from:mime-version:subject:reply-to:list-unsubscribe:to;
 s=m1; bh=ignkFy+p5H/cOKl305fEybl8jB7GJjbHDFUzuCHPfgY=;
 b=Sje97uAIGDZXT68b/atMmmyhc+HymmKzq6VYL9DqX8vLCaPc2D+5ZQ5oNx03m+QsjMqk
 ZgR+dA3mpPMpCDZKEA8KnkBqLfjcEy/yVW5UNh6QgUWDBl+Rw8Hf+zLSBWtAbJj+l4FaXL
 FsqsMZ45T6+SyssDqFLGm2aFlK7TFXoSY=

and

dkim:columbiacoedu.onmicrosoft.com:selector2-columbiacoedu-onmicrosoft-com  

Dkim Public Record:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDOvOdOm9Ug9778qHNSHRfls8jR3NWGijSKHOo/T2z4WdACJHA3IDPMVB2q4cWnHt+KwAnWiRYWeSeBWkzqWBIiWgdn8kMh08+iMy86hfqKb7mzbWgXigdEdtzzD9RGy09FRKsy5sIPJMMavbPhzvJaS/KNmWEMEb09JXkMyNCnRQIDAQAB;

Dkim Signature (This too is a failure):
v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=columbiacoedu.onmicrosoft.com; s=selector2-columbiacoedu-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=YadlNX9F1tdHPU6GBSCru6/kZ/UxDewIfN1iyiWDfYU=;
 b=bT0lBDUtXDKcbaYKPzBcpv5vTzkI2emJ1pBGfaTd3x6neulCygKlzvKyHKYGlQlefNOrPONvGwR4V1yGol3jN/x2z6VwPq5+eHxvM9Apc/7zrdfEfOlCnaiM2mYScqeP/1qcKlgPUjJZQ+vpA/Djhp3XL+zdzWCJNfbjMC46VMs=
Score:0
us flag

It looks like you may have some spoofed received headers:

Received: from bouttecontour.cloud (195.58.39.136) looks like genuine injection to O365 at Tue, 10 May 2022 02:17:36 +0000

But the Received headers below that have a time disconnect and seem to show internal O365 processing BEFORE the injection.

Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40 +0000

Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000

Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend Transport; Sun, 8 May 2022 04:00:37 +0000

Compare those to the headers from an example we're also investigating:

Received: from breckcraigint.pro (195.58.39.137) by DM6NAM12FT048.mail.protection.outlook.com (10.13.178.173) with Microsoft SMTP Server id 15.20.5250.8 via Frontend Transport; Mon, 9 May 2022 02:00:01 +0000

Again the header lines below this appear to show O365 processing - which match exactly with your example.

Received: from SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) by ME1PR01MB1235.ausprd01.prod.outlook.com with HTTPS; Sun, 8 May 2022 04:00:40 +0000

Received: from SYXPR01CA0100.ausprd01.prod.outlook.com (2603:10c6:0:2e::33) by SYAPR01MB2960.ausprd01.prod.outlook.com (2603:10c6:1:12::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18; Sun, 8 May 2022 04:00:37 +0000

Received: from SY4AUS01FT005.eop-AUS01.prod.protection.outlook.com (2603:10c6:0:2e:cafe::e6) by SYXPR01CA0100.outlook.office365.com (2603:10c6:0:2e::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5227.18 via Frontend Transport; Sun, 8 May 2022 04:00:37 +0000

Score:0
my flag

OK, so after more digging I -EDIT: after comments, POSSSIBLY- have my own answer. I did not have an Exchange Online rule for Authentication-Results that set SCL for dkim=fail

For others looking:

  • Go to Exchange Online Admin
  • Mail Flow -> Rules
  • Add new rule and choose more options (or you wont see the header options)
  • Add a test for header "Authentication-Results" with contains "dkim=fail"
  • Action as set SCL to 6

I added a second rule that did the same as the above but with header "X-MS-Exchange-Authentication-Results"

Reference https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages?view=o365-worldwide

Admins can create Exchange mail flow rules (also known as transport rules) on the results of DKIM validation. These mail flow rules will allow admins to filter or route messages as needed.

Gerrit avatar
cn flag
Blocking on DKIM fail is not really DMARC standard. Some originating servers for your mail domain may depend on SPF settings instead of DKIM to deliver mail. So, a little caution, this may block more then you actually want.
AngryCarrotTop avatar
my flag
do you have ideas on an alternative solution? Ive not accepted this as an answer yet. I only looked at filtering dkim=fail based on the Microsoft Article linked.
Gerrit avatar
cn flag
If I think about it, it wouldn't hurt to filter on dkim=fail in Authentication-Results as it would not require a dkim signature in order for any mail to come in. But most spammers actually use valid DKIM signatures. In this case it looks like a twice forwarded message with some strange header manipulation going on in one of the forwarders.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.