On Fri, 2021-05-21 at 15:06 +0300, Mary via mailop wrote: > > Hello, > > I am seeing a lot of DMARC errors with emails coming from tencent.com, I am > not sure but based on the opendmarc errors I think these emails are > forwarded via qq.com and the From domain is replaced from @tencent.com to > @qq.com (keeping the user part intact). > > The domain tencent.com has valid SPF+DMARC records, but the qq.com domain > has no TXT records whatsoever. > > Anyone else seen this issue before? is opendmarc at fault? > > > -- SAMPLE > Received: from smtpbg.qq.com (smtpbg552.qq.com [183.3.226.181]) > (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 > bits)) > (No client certificate requested) > by my.server.com (Postfix) with ESMTPS id D4ACD5XZ51 > for <[email protected]>; Fri, 21 May 2021 11:14:12 +0000 (UTC) > Authentication-Results: my.server.com; dmarc=fail (p=none dis=none) > header.from=qq.com > Authentication-Results: my.server.com; spf=pass [email protected] > Authentication-Results: my.server.com; > dkim=pass (1024-bit key; unprotected) header.d=tencent.com > [email protected] header.a=rsa-sha256 header.s=s201512 header.b=Ucwje3sK
It's testing qq.com, not tencent.com. They do appear to have an SPF record, fwiw. Which doesn't help DMARC if they don't replace the envelope sender. They'd have to fix that or add a DKIM sig from qq.com. Not sure how tencent's DKIM sig passed; that suggests they put the @qq.com in the From:, or else qq resigned it with a tencent.com key after rewriting the From:. Neither is helpful. qq.com's DMARC policy is p=none, though. Which is good considering how broken that mail is.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
