I have been receiving a lot of spam originating from chinaunicom.cn servers that I report via spamcop.net. Spamcop claims the email is being send from numerous servers (ipv6 addresses) directly to the inbound mail gateway I use. Most of the mail passes SPF checks because the sending domain specified “softfail”. I was able to block some domains via my inbound mail gateway but could not do that for mail claimed to come from Google, Apple, and Microsoft domains. It seems odd that with all the churn about DKIM, these domains are still using SPF “softfail”. Am I missing something?
The good news is that with the help of the the information provided by dmarcian, I have been able to almost eliminate mail spoofing of my own domain.
While it is generally recommended for domains to use the “-” qualifier with the “all” mechanism, the great majority of receivers will not differentiate between both. Currently, the biggest incentive in choosing “-all” is to comply with security audits performed by services such as Bitsight.
For instance, in Microsoft 365, the default disposition for hardfail is the same as softfail. You need to specifically turn it on so that a hardfail results in a spam verdict every time. Note that it is to mark the email as spam, not reject it. A reject action can be taken, but it would apply to all spam verdicts. It would be preferable to create a custom mail flow rule to reject such messages with a message.
Moreover, DMARC is built on top of DKIM and SPF, and typically DMARC check results will supersede the individual verdict of SPF and DKIM. This means even when SPF is set to hardfail, a DMARC action of “none” will likely supersede it. Some email security services will allow custom actions to override this, but not all.
Ultimately, your case is unfortunately common, and custom or manual actions is sometimes the best course of action.
Hi Asher, thanks for the detailed response. I am using a POP/IMAP mail gateway provided by my hosting provider. I can enable “Block messages that hard-fail SPF checks” but the spammers are able to bypass this since outlook.com and icloud.com both have SPF records set to “softfail”. I had a look at the root outlook/live DMARC records - they specify sp=quarantine for subdomains and p=none which I interpret as doing nothing if email from these domains fail the DMARC test. None of the spam I am getting from chinaunicom provides DKIM records, so even if my mail gateway provider implemented DMARC checking, mail spoofed from @outlook.com or @live.com would still be passed through. The DMARC record for Gmail has the same setup, while Yahoo has p=reject and no sp= tag.
