My guess would be a google groups mailing list, which doesn't rewrite because you're only p=none. It's pretty common for domains to use mailing lists as aliases with gsuite, so sa...@foo.com would be a mailing list and do the resending.
There's several less than ideal things about this in this instance for dmarc reporting, though individually were useful at the time. I'm sure fixing them are down at the bottom of some long list if improvements to make. Brandon On Jun 19, 2017 8:38 AM, "John Wilson via dmarc-discuss" < dmarc-discuss@dmarc.org> wrote: > I suspect this is a relay/autoforward situation. The recipient at > otherdomain.com likely has an autoforward rule configured so when you > send mail to that individual it's routed to some other mailbox. Google > signs the message and modifies the envelope sender when forwarding. > > On Sun, Jun 18, 2017 at 11:26 PM, PenguinWhispererThe . via dmarc-discuss > <dmarc-discuss@dmarc.org> wrote: > >> Hi all, >> >> I've recently set up DMARC, SPF and DKIM. I'm now checking all DMARC >> reports I'm receiving. I've noticed the below entry which looks like an IP >> which is outside my control and is also not of a usual sender (the entries >> that are legit are usually coming from 2 ISP mailservers and I see those >> IPs on a daily basis). So this one entry seems to be off. >> >> Now I wonder what I should conclude from this DMARC entry. >> Is this an email server, which successfully auths (using SPF and DKIM, so >> I can be "assured" it's actually the mailserver intended for >> otherdomain.com?) sending out an email in the name of mydomain.com? >> Note that mydomain.com is doing business with otherdomain.com. So >> perhaps I'm reading this entry incorrectly. However I don't see any >> incoming email for mydomain.com from them at that time which would mean >> this must have been a mail addressed to another domain. >> >> I don't see any reason why this company would need to send emails in name >> of my domain. I know I can change the policy using DMARC to drop such >> emails but nonetheless it seems interesting to investigate what's going on >> here. >> >> Am I interpreting this entry correctly? Thanks a lot in advance. >> >> <record> >> <row> >> <source_ip>w.x.y.z</source_ip> >> <count>4</count> >> <policy_evaluated> >> <disposition>none</disposition> >> <dkim>fail</dkim> >> <spf>fail</spf> >> </policy_evaluated> >> </row> >> <identifiers> >> <header_from>mydomain.com</header_from> >> </identifiers> >> <auth_results> >> <dkim> >> <domain>otherdomain-com.20150623.gappssmtp.com</domain> >> <result>pass</result> >> <selector>20150623</selector> >> </dkim> >> <spf> >> <domain>otherdomain.com</domain> >> <result>pass</result> >> </spf> >> </auth_results> >> </record> >> >> >> >> _______________________________________________ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > > > _______________________________________________ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) >
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
