> On Jan 26, 2016, at 10:36 AM, John Corey Miller via dmarc-discuss > <[email protected]> wrote: > > We have Google Apps for Business set-up with our domain name for our business. > > Since making the change to fully reject mail that fails dmarc, the number of > messages counted as coming through "Forwarders" on our dmarc reports when run > through this tool https://dmarcian.com/dmarc-xml/ > <https://dmarcian.com/dmarc-xml/> has drastically increased. In many cases > these new "Forwarders" are the same IPs that previously were coming through > as "Threat/Unknown" (clearly fishers.) > > Does this mean that after seeing that google started rejecting their e-mails > they changed something about how they're sending them to attempt to > circumvent these rejections? If so, does any action have to be taken to > prevent this circumvention?
Hi John, FWIW, you can email [email protected] <mailto:[email protected]> with any dmarcian-related questions. I spend a lot of time there answering questions.. which is a bit easier as then I can look & comment about your data! That said, some replies to this thread are likely true. If you're seeing the "forwarded" flag explicitly set, then this means the receiver in question accepted the email regardless of your published policy, as they understand the email to..well, be forwarded. It is not exactly common, but over the past few years certain spammers/phishers have figured out how to exploit servers that are being recognized as "forwarders" by the big players. Once these servers are identified, they try to deliver as much crap as they can before being stopped. And... the cycle continues. A different idea is that "reject" happened after putting in place DKIM signatures. The dmarcian site does a better job identifying "Forwarders" (as a category, and not as a flag in XML) when DKIM is in place. So if you did DKIM and reject at ~same time, this might be a factor. However, if you're seeing junk from all over the world, it's worth dropping a note to [email protected] <mailto:[email protected]> and we'll package up your data along with a note to the bigger players to plug their holes. =- Tim
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
