I am pretty new to dmarcian and I’ve set up our parked domains with spf hardfails and our active sending domain uses the spf record of our hosted exchange provider. For now, the dmarc policy is set to none in order to gather more data before moving to the quarantine tag.
because of limited technical capabilities, we are not able to use DKIM until our provider has made some changes to their infrastructure until later this year.
Now, I’ve seen one source popping up as threat every once in a while. The reporter is google and the dkim entry points to the trustee of our Argentinian branch. The PTR record shows the server used is from toservers.com. I am not exactly sure what to make out of this.
Since according to the dkim entry in the report shows its our ARG trustee, I don’t think something shady is going on there, but I want to make sure. How can I make sense of theses threat reports?
That means that some mails are sent using a RFC5322 From address of (one of) your domain(s) where DMARC checks fail. That in turn means that BOTH of the following are true:
a) SPF check fails (Sending server is not authorized to send mail for the domain in the RFC5321 Mail.From) OR SPF Raw succeeds, but does not DMARC align, (RFC5322 From does not relate to RFC5321 Mail.From)
b) DKIM check fails (signature is missing or incorrect) OR DKIM Raw succeeds (correct signature, but the signing domain (d=) does not relate to RFC5322 Mail.From)
If you believe the mail is legitimate, you should investigate and document that mailflow, including the systems and servers involved, and the responsible persons and part of your org. Then you should request/help them to make these mails DMARC compliant.
As the servers involved are already capable of DKIM signing mails they can be authorized using both DKIM and SPF.