Need help understand what's happening

Hello, can someone help me with this? We’re monitoring DMARC reports for a customer and there’s another company in the same city that seems to be sending emails under my customer’s domain:

2023-07-21_12-571111×124 18.8 KB

Very strange. Who is the “real sender” here? Is it “tech…net” trying to send as “ville…com”, or is it “ville…com” trying to send as “tech…net”? IP starting with 136 seems to be the source SMTP server, and we called “ville…com” company and they confirmed they are using this provider.

Can you also tell me what the DKIM “mega…com” d+ entry means?

Might I suggest that you run through the interactive tutorial over at Learn DMARC?

In the meantime let’s work across the columns in your screenshot from left to right.

From: Domain contains the domain found the the RFC 5322 From field. That’s the one that is is displayed in the recipient’s email client.

IP is the IP of the SMTP relay that transferred the message to the reporting MTA.

PTR/Server is the reverse DNS name of the IP in the previous column.

Country is the country that the aforementioned IP is reported to be in.

Volume is the number of emails received by the reporting MTA and are included in its report.

Policy is the DMARC policy applied by the reporting MTA.

SPF/DMARC is the result of the SPF test in a DMARC contect. Here we can see that it fails because the RFC 5321 From (return path or envelope sender) and RFC 5322 From domains do not match.

SPF/Raw show us the the result of the SPF policy evaluation of the RFC 5321 From domain. We can see here that it passes the policy published by that domain.

SPF/Mail From shows us the domain name of the RFC 5321 From address.

DKIM/DMARC is the result of the DKIM signature found in the context of the DMARC policy. Here we see that it fails because the domain in the DKKIM signature does not match the domain in the RFC 5322 From address.

DKIM/Raw tells us whether or not the DKIM signature is cryptographically valid. We see here that it is.

DKIM/d= shows the domain that is reported to have to made the DKIM signature. We see here that mega…com reportedly signed this message

DKIM/Selectors indicates which selector should be queried in the reported signing domain DNS to obtain the public key required to verify the signature. Her we see that it is mailtor which means that the TXT record of mailtor._domainkey.mega…com will contain the necessary public key.

Reporter tells us who submitted this report. This one came from Google.

Since the raw DKIM successfully verifies, you know that mega…com signed the email and is likely the real sender. Without knowing who any of the obfuscated domains are, it is hard to say anything more.

Note that I am not saying that it is necessary to reveal the domains, but rather that we have no idea which one is your customer nor can we discern the relationship of the other domains, if any, to your customer.