On Sun, 21 Feb 2021 17:00:32 +0000 Dominic Raferd wrote: > On 21/02/2021 16:20, Benny Pedersen wrote: > > On 2021-02-21 17:00, RW wrote: > >> On Sun, 21 Feb 2021 14:04:20 +0000 > >> Dominic Raferd wrote: > >> > >>> On 21/02/2021 13:56, RW wrote: > >> > >>> >>> From: "Karen Howard" <ka...@interfacefm.com> > >>> >>> Reply-To: "Karen Howard" <ka...@intrefacefm.com> > >> > >>> Yes this mail passed DMARC > >> > >> How did it pass DMARC when it has the domain being spoofed in the > >> from header? > > > > both domains can have dmarc, but only from header is dmarc tested > > > > and dkim can sign reply-to > and interfacefm.com (like most domains) does not publish a DMARC > policy, so it must pass
But it does: $ dig +short txt _dmarc.interfacefm.com "v=DMARC1; p=none; rua=mailto:postmas...@interfacefm.com"; Presumably interfacefm.com has been hacked, but not to the extent that they can intercept incoming replies.
