asked on DMARC and SPF not protecting as expected.
Is use DMARC and SPF to protect my domain, however a client recently became infected with malware and propogated the malware via spoofed email. Now clients of mine are receiving mail addressed as me. The question is how, what have I missed here.
Details
DMARC Record
v=DMARC1; p=none; rua=mailto:helpdesk@mydomain,mailto:7ffa0582@mxtoolbox
SPF
v=spf1 +a +mx +ip4:M111.111.111.111 ~all
where
Details
DMARC Record
v=DMARC1; p=none; rua=mailto:helpdesk@mydomain,mailto:7ffa0582@mxtoolbox
SPF
v=spf1 +a +mx +ip4:M111.111.111.111 ~all
where
- IP is my public IP address
- MX is my cload spam filter provider.
AntiSpamEmail ServersDNSEmail Protocols
Last Comment
mbkitmgr
David is correct. DKIM, DMARC and SPF actions are always taken at the receiving end. You can say "Here are our keys, verify against them" and "Here are our approved senders, verify against this list" but at the end of the day what a receiving MTA does is not under your control.
Regarding SPF: If SPF policy commands a hard fail, some valid email is going to be rejected by MTAs which don't process SPF correctly. If SPF policy commands a soft fail, receiving MTAs are going to let the email pass whether it's valid or not - which is useless as far as validation.
SPF can validate a sender but (I/M/O) as far as invalidating an invalid sender it is not useful and should not be used for that purpose.
Regarding SPF: If SPF policy commands a hard fail, some valid email is going to be rejected by MTAs which don't process SPF correctly. If SPF policy commands a soft fail, receiving MTAs are going to let the email pass whether it's valid or not - which is useless as far as validation.
SPF can validate a sender but (I/M/O) as far as invalidating an invalid sender it is not useful and should not be used for that purpose.
ASKER
Thanks David and Dr Klahn. We are certainly on the same page about the receiver needing to verify the msg validity via SPF etc, the thing that has me stumped is that O365 is letting them thru and at least one other cloud based spam filter service that I am aware of. I expected O365 spam filter to have rejected the messages, and hence checking what I hove not done.
I thought that the settings I had chosen were adequate to stop spoofing in this way.
Should I change '+a' to 'a' and change ~all to -all?
I thought that the settings I had chosen were adequate to stop spoofing in this way.
Should I change '+a' to 'a' and change ~all to -all?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks Footech,
I ended up checking with DMARC.org after reading your post. I'm not using O365, but I've taken the leap and set the policy in DMARC to p=reject. My on-prem exchange server is the only source for email so it should not present any issues.
Thats interesting about O365 and DMARC. It explains a recent event where another B2B client opened an attachment that was loaded. It sent itsef out, was stopped in its tracks except for other companies on O365, who received it without modification or flagging.
I ended up checking with DMARC.org after reading your post. I'm not using O365, but I've taken the leap and set the policy in DMARC to p=reject. My on-prem exchange server is the only source for email so it should not present any issues.
Thats interesting about O365 and DMARC. It explains a recent event where another B2B client opened an attachment that was loaded. It sent itsef out, was stopped in its tracks except for other companies on O365, who received it without modification or flagging.
ASKER
Many thanks for the input
~all is a softfail,Allow mail whether or not it matches the parameters in the record
-all is a hard fail