[dmarc-discuss] Odd DMARC rejection for mail apparently sent by PayPal

Wed, 27 Feb 2013 03:50:06 -0800 

Hi, 

Apologies if this is the wrong forum, or I'm being particularly clueless about 
his, but I've recently implemented DMARC for my domain symposion.co.uk, and was 
surprised by a report I just received. I wanted to check if this was a known 
phenomenon, a misunderstanding on my part, or some genuine (and rather 
worrying) abuse.

The report is included at the bottom of this message. If I'm understanding 
correctly, this is yahoo telling me that it has rejected a message according to 
my dmarc configuration. In particular, the message came was sent from a mail 
server with ip 173.0.84.228, and it failed because the message claimed in the 
headers to be from symposion.co.uk but in fact wasn't. What's odd is that the 
message passes both dkim and spf as paypal.com, and the mail server address is 
indeed mx3.slc.paypal.com . So it looks like PayPal is trying to spoof me! Is 
this a known issue with some elements of Paypal's systems vs DMARC, a sign of 
something more sinister, or just me misunderstanding?

Many thanks,

Lucian


<?xml version="1.0"?> 
<feedback> 
  <report_metadata> 
    <org_name>Yahoo! Inc.</org_name> 
    <email>[email protected]</email> 
    <report_id>1361873612.854332</report_id> 
    <date_range> 
      <begin>1361750400</begin> 
      <end>1361836799 </end> 
    </date_range> 
  </report_metadata> 
  <policy_published> 
    <domain>symposion.co.uk</domain> 
    <adkim>r</adkim> 
    <aspf>r</aspf> 
    <p>reject</p> 
    <pct>100</pct> 
  </policy_published> 
  <record> 
    <row> 
      <source_ip>173.0.84.228</source_ip> 
      <count>1</count> 
      <policy_evaluated> 
        <disposition>reject</disposition> 
        <dkim>fail</dkim> 
        <spf>fail</spf> 
      </policy_evaluated> 
    </row> 
    <identifiers> 
      <header_from>symposion.co.uk</header_from> 
    </identifiers> 
    <auth_results> 
      <dkim> 
        <domain>paypal.com</domain> 
        <result>pass</result> 
      </dkim> 
      <spf> 
        <domain>paypal.com</domain> 
        <result>pass</result> 
      </spf> 
    </auth_results> 
  </record> 
</feedback> 



-- 
Lucian Holland
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)


_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)

Reply via email to