Avatar of mbkitmgr
Flag for Australia asked on

DMARC and SPF not protecting as expected.

Is use DMARC and SPF to protect my domain, however a client recently became infected with malware and propogated the malware via spoofed email.  Now clients of mine are receiving mail addressed as me.  The question is how, what have I missed here.

DMARC Record
v=DMARC1; p=none; rua=mailto:helpdesk@mydomain,mailto:7ffa0582@mxtoolbox.dmarc-report.com; ruf=mailto:My.name@mydomain,mailto:7ffa0582@forensics.dmarc-report.com; fo=1

v=spf1 +a +mx +ip4:M111.111.111.111 ~all
  • IP is my public IP address
  • MX is my cload spam filter provider.
AntiSpamEmail ServersDNSEmail Protocols

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Johnson, CD

it is up to the receiver to act on dkim missing or invalid. Per RFC4781 Email servers should not reject messages because of missing or unverifiable DKIM signatures.  They instead should get a spam confidence level that is high
~all is a softfail,Allow mail whether or not it matches the parameters in the record
-all is a hard fail
Dr. Klahn

David is correct.  DKIM, DMARC and SPF actions are always taken at the receiving end.  You can say "Here are our keys, verify against them" and "Here are our approved senders, verify against this list" but at the end of the day what a receiving MTA does is not under your control.

Regarding SPF:  If SPF policy commands a hard fail, some valid email is going to be rejected by MTAs which don't process SPF correctly.  If SPF policy commands a soft fail, receiving MTAs are going to let the email pass whether it's valid or not - which is useless as far as validation.

SPF can validate a sender but (I/M/O) as far as invalidating an invalid sender it is not useful and should not be used for that purpose.

Thanks David and Dr Klahn.  We are certainly on the same page about the receiver needing to verify the msg validity via SPF etc, the thing that has me stumped is that O365 is letting them thru and at least one other cloud based spam filter service that I am aware of.  I expected O365 spam filter to have rejected the messages, and hence checking what I hove not done.

I thought that the settings I had chosen were adequate to stop spoofing in this way.  

Should I change '+a' to 'a' and change ~all to -all?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thanks Footech,

I ended up checking with DMARC.org after reading your post.  I'm not using O365, but I've taken the leap and set the policy in DMARC to p=reject.  My on-prem exchange server is the only source for email so it should not present any issues.  

Thats interesting about O365 and DMARC.  It explains a recent event where another B2B client opened an attachment that was loaded.  It sent itsef out, was stopped in its tracks except for other companies on O365, who received it without modification or flagging.

Many thanks for the input