I am trying to understand how SPF and DKIM works (and fails).
I have a domain, majlovesreg.one , that uses Mailgun and contains these TXT DNS records, v=spf1 include:mailgun.org -all
and v=DKIM1; k=rsa; p=**pubkey**
v=DKIM1; k=rsa; p=**pubkey**
v=DKIM1; k=rsa; p=**pubkey**
. Mailgun then routes the emails to my Gmail account.
One day I received in Gmail a phishing email supposedly from py@hms.harvard.edu
, and I was surprised to see that it was via the majlovesreg.one
domain. Checking the original message shows that the email originated from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix)
. Google's ARC-Authentication-Results
however shows that the email passed both SPF and DKIM checks.
Question: How could this email pass SPF? How was it possible for it to pass DKIM as well?
For reference, here is the original email:
Delivered-To: #####@gmail.com
Received: by 2002:a2e:6550:0:0:0:0:0 with SMTP id z77csp1970412ljb;
Sat, 14 Sep 2019 06:12:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyy+BjN8TgEiJWD+O7IKWD/n0532Fxhp+f+75ffu4u0JU1esXRPEme/DcG7RaYnlDiaMUW8
X-Received: by 2002:a9d:3f26:: with SMTP id m35mr46049370otc.66.1568466733949;
Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568466733; cv=none;
d=google.com; s=arc-20160816;
b=KDIT95EakaPqwYj0OF6116ReXWrEwoqTDfWySmCU35uwaP1F09vv/zAsThE/ziMF9h
iXFoXiNdBH2kGE1iGufqDyK/zm7AUsDRTLdFi5lRG3r326P2HylYdU7K6tnzwIOv/v+E
meyuyWNVShq3nTKZEyiDBJg2pnoMrSOrNTghmnD2txnvvEmyLqiAE1MwHWI1AmedBTQ8
xR0XS2DSsEr066m+5Iu2Yb3bjJIQNu1/8tcL6g+dy9XgQXagj3gdmKQoZKfOgK4K8b/g
PUynWvl0on1vauSG72JfucvljjgdWuVSHAKDAepVm4EpdCEcdV41mv74Q/FQfrB1KAyh
ZfwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:subject:date:reply-to:to:from
:mime-version:message-id:dkim-signature;
bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=;
b=aLF5hABuvBtaw58MtyXDMyjkhZiCSlp/1Hn5Cv9pHDLTvFTlwVRSCBy1B3sjQEzdiy
LYRXcb5Ne/aii7bBxFSnkZRv5wt+csct6lGJ1BjEXL2rU3ZXF1CZQDMhS+Lge2jle8pO
6n2eZ/9bQlWnzIgO95NG/mD0+eMJt2j43eC8JRcMYIYB480xEOENTb5Tv8isqvOnV7P6
3cI3rctDup6kDv1jYXNkNuwSdk4f3BDfbMt5YQoJIeT3gdSI3jcC/0VCGzRb7yQ66uLL
gfjKKpUuLnwB9CvoOdRMr7uJViLmO9rBoKn7MuRzz2wo/e5L5I7pieJrslsSQYGO7EYG
Df2A==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
Return-Path: <bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one>
Received: from m42-1.mailgun.net (m42-1.mailgun.net. [69.72.42.1])
by mx.google.com with UTF8SMTPS id h16si3134596oie.262.2019.09.14.06.12.12
for <#####@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) client-ip=69.72.42.1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=majlovesreg.one; q=dns/txt; s=k1; t=1568466733; h=Content-Transfer-Encoding: Content-Type: Subject: Date: Reply-To: To: From: MIME-Version: Message-Id; bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=; b=IcrRZKl90xBY0yfOeKwqDhszwGRipiYn+KphrsykgMkctgkr2oRQ++eHjHm49YdfeHDoq0vu 7NV0/kpVaYewb0NWBAxDu8cTC2lU1g/+HOA0d/uA+R4p4BBc24TazKfhU3p+BrtOBD6PfqIl qtjepy/cO+127GcSAg6uWxVXKUA=
X-Mailgun-Sending-Ip: 69.72.42.1
X-Mailgun-Incoming: Yes
Message-Id: <20190914131206.1.5A38D163B017E082@hms.harvard.edu>
X-Envelope-From: <py@hms.harvard.edu>
Received: from newsgw-02.dd24.net (newsgw-02.dd24.net [193.46.215.84]) by mxa.mailgun.org with ESMTP id 5d7ce726.7f54a6062110-smtp-in-n01; Sat, 14 Sep 2019 13:12:06 -0000 (UTC)
Received: from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix) with ESMTPA id 1C9095FE52 for <#####@majlovesreg.one>; Sat, 14 Sep 2019 13:11:49 +0000 (UTC)
MIME-Version: 1.0
From: Monika Majewska <py@hms.harvard.edu>
To: #####@majlovesreg.one
Reply-To: manager@azibulon-group.com
Date: 14 Sep 2019 06:12:04 -0700
Subject: New Order Inquiry
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
<P>Hello,</P>
<P>We have sent several emails to you, but no response</P>
<P>Please let me know if #####@majlovesreg.one is the correct email to place =
an order</P>
<P>I'm sorry for any inconvenience, if it's not your sales email, let me kn=
ow and i won't send any more email.</P>
<P>Hope to get your response this time.</P>
<P><SPAN style=3D'FONT-SIZE: 13px; FONT-FAMILY: "Helvetica Neue", "Segoe UI=
", Helvetica, Arial, "Lucida Grande", sans-serif; WHITE-SPACE: normal; WORD=
-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT-WEIGHT: 700; COLOR: =
rgb(29,34,40); FONT-STYLE: normal; TEXT-ALIGN: left; ORPHANS: 2; WIDOWS: 2;=
DISPLAY: inline !important; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(=
255,255,255); TEXT-INDENT: 0px; font-variant-ligatures: normal; font-varian=
t-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-style: init=
ial; text-decoration-color: initial'>Monika Majewska</SPAN></P>
<P>Sales Manager | Europe Region<BR>Azibulon Group<BR>Tel.: +49 901-9=
29-3401 - Ext.3<BR>Fax.: +49 901-929-3402</P>
Odd. Perhaps the sender is also using mailgun, and while mailgun is legit for you as a sender, the fact that you have allowed them to send for you via SPF, and that they do DKIM signing for you suggests that mailgun may not separate those permissions from other users of mailgun. I suggest asking mailgun support about it. I'd also recommend changing your SPF default mechanism to ~all
and setting up a DMARC record with p=reject
so that you can enforce From header matches too - that would have prevented this case.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.