: DMARC: SPF Fail, DKIM Pass, Source IP: not mine! This is an odd one: <record> <row> <source_ip>65.20.0.12</source_ip> <count>2</count>
This is an odd one:
<record>
<row>
<source_ip>65.20.0.12</source_ip>
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.co.uk</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.co.uk</domain>
<result>pass</result>
</dkim>
<spf>
<domain>mydomain.co.uk</domain>
<result>fail</result>
</spf>
</auth_results>
</record>
I use a combination of my own servers and google to send mail. The source IP is not one of mine or one of Google's - how they hell can DKIM pass?
The reports come from Yahoo. The IP appears to be a mail server for btinternet.com managed by cpcloud.co.uk (Critical Path Inc.) - i know there was some oddness between them in the past with SPF etc. - could it be something to do with that?
The IP is only in the Yahoo DMARC reports. The dates I get the reports are 1 day ahead of emails that were sent to btinternet users.
Is it as simple as i'm sending an email to a bt account, it's getting forwarded/redirected/resent to yahoo and that's flagging the fail?
More posts by @Gretchen104
3 Comments
Sorted by latest first Latest Oldest Best
I have this as well with one of my clients. I have control of the domain mail server (Exchange) (with DKIM being added by dkim-exchange) and smart hosts (Postfix) and we get one or two emails a day always coming via the 65.20.0.12 server. I have checked rules and logs and nobody internally is forwarding their messages to anywhere, so the only thing I can think of is that this is an outgoing email to a client/supplier who is then bouncing the messages on from their BT account to their Yahoo account, maybe without knowing. Either way, I am leaving the SPF for the domain as it is, and letting Yahoo bounce the emails, as maybe that way eventually someone will notice and ask me.
Sorry, forgot to post the resolution to this!
So it was a forwarding thing as suspected but my SPF rules in DNS were overly strict and didn't allow for forwarding - hence SPF failed. Changing from
-all
to
~all
sorted it.
Two things to consider:
Email forwarding happens on the internet. This could be a case of someone running their own @example .org server but then forwarding all email to Yahoo (eventually landing in an @yahoo .com mailbox). People do this all the time 'cause they like the UI of the final destination better or its just easier to manage.
DKIM can survive forwarding if the content of the message remains intact. It is not unusual to see DKIM-passing messages flowing out of weird places on the internet before being reported by DMARC.
In your example, the presence of a DKIM-passing signature from an unknown IP source is a very strong signal that this row of data represents forwarded email.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.