1

We are not able to understand the DMARC reports. Below is the one we got from Yahoo.

DMARC Report

<?xml version="1.0"?>   
<feedback>  
  <report_metadata> 
    <org_name>Yahoo! Inc.</org_name>    
    <email>postmaster@dmarc.yahoo.com</email>   
    <report_id>1519264633.286724</report_id>    
    <date_range>    
      <begin>1519171200</begin> 
      <end>1519257599 </end>    
    </date_range>   
  </report_metadata>    
  <policy_published>    
    <domain>mydomain.com</domain>   
    <adkim>r</adkim>    
    <aspf>r</aspf>  
    <p>none</p> 
    <pct>100</pct>  
  </policy_published>   
  <record>  
    <row>   
      <source_ip>198.210.47.11</source_ip>  
      <count>12</count> 
      <policy_evaluated>    
        <disposition>none</disposition> 
        <dkim>fail</dkim>   
        <spf>fail</spf> 
      </policy_evaluated>   
    </row>  
    <identifiers>   
      <header_from>mydomain.com</header_from>   
    </identifiers>  
    <auth_results>  
      <dkim>    
        <domain>woodersmtp.com</domain> 
        <result>pass</result>   
      </dkim>   
      <spf> 
        <domain>woodersmtp.com</domain> 
        <result>pass</result>   
      </spf>    
    </auth_results> 
  </record>

In this report, SPF and DKIM fails but pass for the same. Also not getting, what is this "woodersmtp.com" ? It's not my domain.

Overall, I want to know:

  1. What are these "woodersmtp.com" and why emails from my domain are going through it ?

  2. How can I make sure SPF and DKIM passes only for legitimate emails?

  3. How to find out Message headers of all these failed emails?

Mickael Maison
  • 25,067
  • 7
  • 71
  • 68
pooja
  • 27
  • 3

1 Answers1

6

This is almost certainly the result of a compromised email account sending an email (and unwttingly supported by their SPF and DKIM mechanisms) but using a forged From: header within the message suggesting the message is sent from your domain.

  1. woodersmtp.com will probably be an innocent domain with a compromised email account, used by the Spammer to send messages with your mydomain.com domain forged as the "From:" header in the message payload.

  2. SPF and DKIM are passing for the forged message, because the sending IP address (198.210.47.11) is the propper address for the real sender woodersmtp.com, which can be seen in the SPF record for that domain... v=spf1 +a +mx +ip4:198.210.47.11 ~all, and the message headers haven't been altered since DKIM was applied. That is why the <auth_results> section of the report shows <result>pass</result> for both DKIM and SPF, since neither of these mechanisms try to correlate the actual sending domain woodersmtp.com with the forged "From:" header domain mydomain.com.

    Whereas the reported <policy_evaluated> section of the report shows <dkim>fail</dkim> and <spf>fail</spf> because DMARC does recognise that the two domains aren't 'aligned'. Of course DMARC goes on to allow the messages to be delivered because the disposition published in your DMARC policy for mydomain.com is 'p=none', so will only serve as a method for you to minotor information via the reporting mechanisms you publish in the DMARC record. You could change the disposition to 'p=reject' or 'p=quarantine' to actaully enforce the DMARC policy.

  3. You can attempt to get very detailed forensic reports using 'ruf=mailto:you@mydomain.com;' in your DMARC record. This might include the message headers you desire, but bear in mind that this would be a great deal of information for the intermediary mail servers to accumulate and report back , and many providers will consider this onerous, so don't expect Yahoo to necessarily give you the detail you hoped for.

    If you are able to get forensic level reports, you'd be advised to only enable them during investigation because there could potentially be a great deal of reported information over time, better to use 'rua=mailto:you@mydomain.com;' to request aggregate reports for the rest of the time.

HTH

Gavin Jackson
  • 1,907
  • 1
  • 22
  • 28