Spoofed dkim?


I am using dmarcian xml-to-human convertor to align and set up my DMARC policy along with SPF and DKIM.
I noticed something very strange, some emails are sent with my domain in “from domain” and the PTR/Server records shows sender that is not allowed to send emails. By this reason SPF failed but DKIM states that it is aligned even when the selector shown isn’t related to this sender mail server (in other words mail server that sends the message should not sign them with the private key, because it does not seems to have it". So how this is possible ? Sender that is not authenticated to sign message with a where the selector field is valid but bind to another (authenticated) sender.

Hi Jovanny and welcome to the forums!

This is typical of successful forwarding. Most automatic forwarding will rewrite the return-path due to SRS (sender rewriting scheme) which will cause an alignment failure when DMARC is checked by the final destination email system. However automatic forwarding should maintain the original headers, including and more importantly the “from” header (hence why you are seeing DMARC data for this kind of email). Since DKIM is a header, there are chances where it will still pass.

All in all, this is normal, and it means DKIM is doing its job in helping email still pass DMARC even when recipients of your emails may be automatically forwarding emails received from your domain elsewhere.

I hope that helps.

1 Like