Join Log in
Score:1
Karl.S avatar Server

I don't understand DMARC reports regarding my policy

in flag
Karl.S

My DMARC settings seems to not work as expected.

First, a few things to note:

  • The domain is mydomain.com (not the real one obviously) ;
  • The domain and mail provider is gandi.net ;
  • I use Amazon SES to send emails from a website using noreply@mydomain.com ;
  • I use Gmail to send and receive emails for me@mydomain.com ;

The SPF record is set as TXT on mydomain.com:

"v=spf1 include:_mailcust.gandi.net include:amazonses.com include:_spf.google.com ~all"
  • include:_mailcust.gandi.net allows gandi.net to send emails using mydomain.com ;
  • include:amazonses.com allows amazonses.com to send emails using mydomain.com ;
  • include:google.com allows google.com to send emails using mydomain.com ;
  • ~all allows any other servers to send emails using mydomain.com but will result in an SPF check FAIL (softfail)

The DMARC record is set as TXT on _dmarc.mydomain.com:

"v=DMARC1; p=quarantine; sp=reject; pct=5; fo=1; rua=mailto:dmarc@mydomain.com;"
  • p=quarantine delivers emails that failed a SPF/DKIM check and mark them as spam ;
  • sp=reject rejects emails sent using an address with a subdomain like noreply@news.mydomain.com ;
  • pct=5 applies the policy (p and not sp?) to 5% of emails ;
  • fo=1 sends reports for DKIM failure OR SPF failure ;

Now the weird things, in this DMARC RUA report:

  <record>
    <row>
      <source_ip>40.107.12.85</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>GovSIPF.onmicrosoft.com</domain>
        <result>pass</result>
        <selector>selector1-GovSIPF-onmicrosoft-com</selector>
      </dkim>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>gm1</selector>
      </dkim>
      <spf>
        <domain>administration.gov.pf</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
  • The source IP 40.107.12.85 is from outlook.com but I don't use outlook ;
  • There is a DKIM block with the domain GovSIPF.onmicrosoft.com, GovSIPF is one of my customer ;
  • There is an SPF block with the domain administration.gov.pf which is the domain they use for their email addresses like someone@administration.gov.pf ;

I don't understand why I see a SPF block with the domain administration.gov.pf, does it mean that they sent an email with an address like someone@mydomain.com through outlook.com servers ?

Another DMARC report a little different:

  <record>
    <row>
      <source_ip>202.90.68.50</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>gm1</selector>
      </dkim>
      <spf>
        <domain>mydomain.com</domain>
        <result>softfail</result>
      </spf>
    </auth_results>
  </record>
  • The source IP 202.90.68.50 is from mana.pf, a local ISP but we don't use it ;
155
2 + 1
spf
anx avatar
fr flag
anx
Consider having your DMARC reports processed by a dedicated software or service provider that will automatically issue notifications. Otherwise cost/benefit of reading them quickly becomes excessive. (Thanks for a well-formatted question with all relevant details quoted!)
1
Reply
Score:2
fvsdpl avatar Server
mq flag
fvsdpl

The source IP 40.107.12.85 is from outlook.com but I don't use outlook ;

The <source_ip> value is the IP where the original email came from.

It does not necessarily need to be a server you use.

There is a DKIM block with the domain GovSIPF.onmicrosoft.com, GovSIPF is one of my customer ;

DKIM check passed. This is a strong indication that the email was sent using Outlook.

Notice that there is a second DKIM pass auth block for mydomain.com too.

There is an SPF block with the domain administration.gov.pf(...)

SPF checks passed too. This means that the Outlook IP in <source_ip> is authorized to send emails *@administration.gov.pf.

(...)does it mean that they sent an email with an address like someone@mydomain.com through outlook.com servers ?

Yes.

And since you don't use Outlook, this most likely was a forwarded email send from one of your servers. DMARC checks pass for the email because the DKIM authentication result for mydomain.com pass (the result is “in alignment”).

+ 0
Score:1
anx avatar Server
fr flag
anx

You get the report when someone uses your From: and the recipient is respecting your request to have this reported. The report does not necessarily indicate which of those messages were newly originating from machines under your control, and which records pertain to your messages that have been forwarded. You have to process that report yourself with your local knowledge, ideally in some automated fashion. Note that you cannot with certainty tell which message it was, there might have been a significant delay between their receipt and forwarding - only limited by how long you have been using this DKIM key.

If they left your signature intact (DKIM for your domain is still passing), and your signature is signing a reasonable selection of headers, this does not indicate abuse. As long as your messages were not for legal reasons restricted in where they should be forwarded, there is nothing to do here.

does it mean that they sent an email with an address like someone@mydomain.com through outlook.com servers

Certainly looks like it, since your first example even has their signature added, and if you lookup the SPF & MX record of that domain, you can tell they indeed usually use outlook for both incoming and outgoing mail. Note that this does not have to have been a manual action, a mailbox in that domain might be setup to simply forward everything.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.