Can’t understand why Unknown Sources fills with sources while there are
DRIM (raw) and SPF (raw) columns shows pass value. But DKIM-Dmarc fail-unaligned and SPF DMARC fail-unaligned…
Like in that image:
Looks like orininal message been forwarded to other email address (like after moving to new email address) and some headers been cut while forwarding and not shows that emails in “forwarded” list (by the way can’t understand why).
May be you can tell me more about that process.
And how to understand is source Legitimate or not in that Threat/Unknown sources list.
Cause there is often shows up well known email service providers…
And can’t understand why I see “nxdomain” in sources list…
My technical team and I reviewed the account. Email sources are identified under threat/unknown due to either being abuse related or they are not cataloged by dmarcian as DMARC compliant. Please see dmarc.io/sources for a current list of DMARC related email sources. Similar can be said for forwarders, in that they may be involved in forwarding of abuse traffic or they are not cataloged by dmarcian as DMARC compliant. Please see dmarc.io/forwarders for a current list of DMARC related email forwarders.
Even though both SPF and DKIM pass in this example, neither the SPF or DKIM domain are aligned with the from header, and subsequently the mail stream is not DMARC compliant. Additionally, forwarded email can only be authenticated via DKIM, however please also bear in mind that DKIM signatures can be inadvertently broken in the forwarding process. If custom DKIM signing is applied at the original source and the DKIM domain were aligned and successfully authenticating after forwarding, the mail would then be DMARC compliant and data would begin showing up under Servers that preserve DKIM under the Forwarder tab.
NX domain is a label that is applied to servers originating email but that do not have a PTR record, which is common for originating and/or relaying abuse related email. For other sources you may be investigating in Threat/Unknown, you can click on the country flag to load Cisco Talos which will provide further information related to the particular server which can often aid in determining if a source is legitimate. If you deem a source to be legitimate, you can hit the Source Legitimate button to submit it for review by dmarcian staff. Please keep in mind however that even if you make that submission it will still be necessary to mitigate with either SPF or DKIM authentication (both preferred where possible).
SPF authentication requires the same domain in the from header to be used in the return path and an appropriate entry which authenticates the sending server(s) be added to your SPF record. DKIM authentication would require the source/vendor to enable custom DKIM signing using the same domain that is in the from header, and then a TXT entry in your DNS for containing the public key information (or a CNAME that points to a public key hosted with source/vendor). In either case It would be recommended to contact the source/vendor to determine what DMARC compliant options they might offer.