Hi Matt,
I too thought of the same and scanned the logs. But, there was no email
sent out from @mpipe.net to MX of gator4006.hostgator.com. And, since
all the emails sent from @mpipe.net are DKIM signed. I would expect the
DKIM verification to atleast be successful. However, in this case, I am
guessing, there was no DKIM signature. All this seems to indicate that
it was an unsolicited email.
Also, Considering forwards are being accepted by recipients mail server
irrespective of DMARC policy, wouldn't it be a loop hole in DMARC that
can be easily exploited ?
Is there, by any chance, a provision in DMARC or SPF to mention
authorized forwarders ?
Regards,
-Ashok.
On 02/19/2014 11:18 PM, Matt Simerson wrote:
Hi Ashok,
The most likely explanation is that someone @mpipe.net is sending email *to*
someone that has an email box with an MX of gator4006.hostgator.com
(192.185.4.17). That server receives the email message and then forwards it on
to the recipients mailbox. This is a very common practice, and it looks to the
final recipient as if 192.185.4.17 is sending mail from your domain.
Technically, it is, but forwards are an edge case that the recipients mail
server knows about and decided to pass anyway, despite the DMARC failure.
Matt
On Feb 19, 2014, at 8:33 AM, Dorai Ashok S A <[email protected]> wrote:
Hi,
In the last few months, I have noticed a few unauthorized email messages being accepted
even though DMARC and SPF checks fail. In the DMARC report, reason is mentioned as
"forwarded". I have search around a lot on this and I haven't been able to find
a solution. Hence trying to seek some help here.
Could someone explain what "forwarded" means when DMARC policy is "reject" ? and How do i
enforce the "reject" policy in such cases ?
I have listed down the information I have in the DMARC report below for your
reference,
Policy Published:
<policy_published>
<domain>mpipe.net</domain>
<adkim>s</adkim>
<aspf>s</aspf>
<p>reject</p>
<sp>reject</sp>
<pct>100</pct>
</policy_published>
Record:
<record>
<row>
<source_ip>192.185.4.17</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>forwarded</type>
<comment></comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>mpipe.net</header_from>
</identifiers>
<auth_results>
<spf>
<domain>mpipe.net</domain>
<result>fail</result>
</spf>
</auth_results>
</record>
NOTE: 192.185.4.17 is an *Unauthorized* sender.
Regards,
-Ashok.
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
