Re: [dmarc-discuss] Fwd: DMARC report interpretation
On Mon, 2017-06-19 at 08:26 +0200, PenguinWhispererThe . via dmarc-discuss wrote: > Am I interpreting this entry correctly? Thanks a lot in advance. It's impossible to tell because you have obfuscated practically all of the relevant data. You need to include actual IPs and domain names for people to be able to help you properly. gapssmtp.com is used by Google for sending email via their cloud offering. Perhaps there is some cloud instance operated by the second domain name spoofing your domain name in the From address. Legitimate (but still misguided) applications for such spoofing can include third party ticketing systems, invoicing services etc. Without more information that's my guess. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com Need to understand deliverability? Now there's a book: www.wemonitoremail.com/book ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Fwd: DMARC report interpretation
I suspect this is a relay/autoforward situation. The recipient at otherdomain.com likely has an autoforward rule configured so when you send mail to that individual it's routed to some other mailbox. Google signs the message and modifies the envelope sender when forwarding. On Sun, Jun 18, 2017 at 11:26 PM, PenguinWhispererThe . via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Hi all, > > I've recently set up DMARC, SPF and DKIM. I'm now checking all DMARC > reports I'm receiving. I've noticed the below entry which looks like an IP > which is outside my control and is also not of a usual sender (the entries > that are legit are usually coming from 2 ISP mailservers and I see those > IPs on a daily basis). So this one entry seems to be off. > > Now I wonder what I should conclude from this DMARC entry. > Is this an email server, which successfully auths (using SPF and DKIM, so > I can be "assured" it's actually the mailserver intended for > otherdomain.com?) sending out an email in the name of mydomain.com? > Note that mydomain.com is doing business with otherdomain.com. So perhaps > I'm reading this entry incorrectly. However I don't see any incoming email > for mydomain.com from them at that time which would mean this must have > been a mail addressed to another domain. > > I don't see any reason why this company would need to send emails in name > of my domain. I know I can change the policy using DMARC to drop such > emails but nonetheless it seems interesting to investigate what's going on > here. > > Am I interpreting this entry correctly? Thanks a lot in advance. > > > > w.x.y.z > 4 > > none > fail > fail > > > > mydomain.com > > > > otherdomain-com.20150623.gappssmtp.com > pass > 20150623 > > > otherdomain.com > pass > > > > > > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Fwd: DMARC report interpretation
My guess would be a google groups mailing list, which doesn't rewrite because you're only p=none. It's pretty common for domains to use mailing lists as aliases with gsuite, so sa...@foo.com would be a mailing list and do the resending. There's several less than ideal things about this in this instance for dmarc reporting, though individually were useful at the time. I'm sure fixing them are down at the bottom of some long list if improvements to make. Brandon On Jun 19, 2017 8:38 AM, "John Wilson via dmarc-discuss" < dmarc-discuss@dmarc.org> wrote: > I suspect this is a relay/autoforward situation. The recipient at > otherdomain.com likely has an autoforward rule configured so when you > send mail to that individual it's routed to some other mailbox. Google > signs the message and modifies the envelope sender when forwarding. > > On Sun, Jun 18, 2017 at 11:26 PM, PenguinWhispererThe . via dmarc-discuss > wrote: > >> Hi all, >> >> I've recently set up DMARC, SPF and DKIM. I'm now checking all DMARC >> reports I'm receiving. I've noticed the below entry which looks like an IP >> which is outside my control and is also not of a usual sender (the entries >> that are legit are usually coming from 2 ISP mailservers and I see those >> IPs on a daily basis). So this one entry seems to be off. >> >> Now I wonder what I should conclude from this DMARC entry. >> Is this an email server, which successfully auths (using SPF and DKIM, so >> I can be "assured" it's actually the mailserver intended for >> otherdomain.com?) sending out an email in the name of mydomain.com? >> Note that mydomain.com is doing business with otherdomain.com. So >> perhaps I'm reading this entry incorrectly. However I don't see any >> incoming email for mydomain.com from them at that time which would mean >> this must have been a mail addressed to another domain. >> >> I don't see any reason why this company would need to send emails in name >> of my domain. I know I can change the policy using DMARC to drop such >> emails but nonetheless it seems interesting to investigate what's going on >> here. >> >> Am I interpreting this entry correctly? Thanks a lot in advance. >> >> >> >> w.x.y.z >> 4 >> >> none >> fail >> fail >> >> >> >> mydomain.com >> >> >> >> otherdomain-com.20150623.gappssmtp.com >> pass >> 20150623 >> >> >> otherdomain.com >> pass >> >> >> >> >> >> >> ___ >> dmarc-discuss mailing list >> dmarc-discuss@dmarc.org >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) >> > > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
