While testing my domain against mail spoofing, I have noticed strange behaviour of PMG (postfix as well I guess).
Tool used: https://dmarc-tester.com/
Tried to spoof my mail.
Test 1:
From: my corporate mail
to: my private gmail.
Mail didn't arrived.
Test 2:
From: my corporate mail
To: my corporate mail (over PMG)
Mail arrived.
Test 3:
easydmarc.com
My SPF record:
v=spf1 ip4:157.90.xx.yy ip4:88.198.xx.yy -all
DMARC:
v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:xxx@yyy.com;ruf=mailto:xxx@yyy.com;fo=0:1:d:s
my SPF record allow only this 2 IP addresses to be used to send mail. DMARC record policy is to reject all non-complaint messages.
Here are the headers
How PMG validated the DMARC/SPF?
Tool used: https://dmarc-tester.com/
Tried to spoof my mail.
Test 1:
From: my corporate mail
to: my private gmail.
Mail didn't arrived.
Test 2:
From: my corporate mail
To: my corporate mail (over PMG)
Mail arrived.
Test 3:
easydmarc.com
Non-compliant | Is your brand domain protected by DMARC? |
My SPF record:
v=spf1 ip4:157.90.xx.yy ip4:88.198.xx.yy -all
DMARC:
v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:xxx@yyy.com;ruf=mailto:xxx@yyy.com;fo=0:1:d:s
my SPF record allow only this 2 IP addresses to be used to send mail. DMARC record policy is to reject all non-complaint messages.
Here are the headers
Code:
From user@domain.mk Wed Jun 29 20:09:28 2022
Return-Path: <bounces-51598306-user=domain.mk@aa.d.sender-sib.com>
X-Original-To: user@domain.mk
Delivered-To: user-domain.mk@sao.live.net.mk
Received: from thanatos.live.net.mk (thanatos.live.net.mk [157.90.204.74])
by sao.live.net.mk (Postfix) with ESMTPS id 270F91C0280
for <user@domain.mk>; Wed, 29 Jun 2022 20:09:28 +0000 (UTC)
Authentication-Results: sao.live.net.mk; dkim=pass (1024-bit key;
unprotected) header.d=sendinblue.com header.i=@sendinblue.com
header.a=rsa-sha256 header.s=mail header.b=kWU+GuMC; dkim-atps=neutral
Received: from thanatos.live.net.mk (localhost.localdomain [127.0.0.1])
by thanatos.live.net.mk (Proxmox) with ESMTP id 0BECB60F3E
for <user@domain.mk>; Wed, 29 Jun 2022 22:09:28 +0200 (CEST)
Received-SPF: pass (aa.d.sender-sib.com: Sender is authorized to use
'bounces-#-user=domain.mk@aa.d.sender-sib.com' in 'mfrom' identity
(mechanism 'include:spf.sendinblue.com' matched))
receiver=thanatos.live.net.mk; identity=mailfrom;
envelope-from="bounces-#-user=domain.mk@aa.d.sender-sib.com";
helo=aa.d.sender-sib.com; client-ip=185.41.28.128
Received: from aa.d.sender-sib.com (aa.d.sender-sib.com [185.41.28.128])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
SHA256) (No client certificate requested) by thanatos.live.net.mk (Proxmox)
with ESMTPS id 7099360F2B for <user@domain.mk>; Wed, 29 Jun 2022
22:09:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendinblue.com;
q=dns/txt; s=mail; bh=bWNIRE/OIQJ8GsfVscnBOkPpvbU+1adgDpnjCPXH604=;
h=from:subject:date:to:mime-version:content-type:list-unsubscribe:x-csa-complaints:list-unsubscribe-post;
b=kWU+GuMCDvYMA7w3GgADGsxP2T0S/TP1dDdjlDLrAZ6puLsmMUfC6BG0dGUtc4paFQQ6wsSq+6d2
Gd0NBEspMz//MLQbiaoR4uzaIIlO32fxMQh1bYzCIFLOuqXMv5S+AAaxCA8Ogj+jvpIN4toQzs6I
8tNF3QRvHaAW+Gf2poM=
X-Mailin-EID:
NTE1OTgzMDZ%2Bc29qaWNAbGl2ZW5ldHdvcmtzLm1rfjwyMDIyMDYyOTIyMDkuMjkwNjIwODYyNjZAc210cC1yZWxheS5tYWlsaW4uZnI%2BfmFhLmQuc2VuZGVyLXNpYi5jb20%3D
To: <user@domain.mk>
Date: Wed, 29 Jun 2022 20:09:16 +0000
Subject: Is your brand domain protected by DMARC?
Message-Id: <348a15b3-8dc7-4fe7-8728-363b61fa1fd1@smtp-relay.sendinblue.com>
Origin-messageId: <202206292209.29062086266@smtp-relay.mailin.fr>
Content-Type: multipart/alternative; boundary="--_SiB-755f3ec5a3f89a6d-Part_1"
MIME-Version: 1.0
X-sib-id:
NvL6Oww6UqzJPXBn1rHeFibLs9XNv9P40HdQhkbl6cR7uFoUgV0taOCRum-AvbUEhNJh6_F5fWDBhiz_Bdmbi148Wwg9QE2e9FRTg9IeZWDV292Jy2JYIv15X9oMQ3Nt4ODKxH8wicqJbUL8LQClCzggb_ZTFWq4wh-lwlBeNm-C2kc
X-CSA-Complaints: whitelist-complaints@eco.de
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Feedback-ID: 185.41.28.128:1534416_-1:1534416:Sendinblue
From: "My Name" <user@domain.mk>
List-Unsubscribe:
<mailto:unsubscribe-t@aa.d.sender-sib.com?subject=unsub-NTE1OTgzMDZ-c29qaWNAbGl2ZW5ldHdvcmtzLm1rfjwyMDIyMDYyOTIyMDkuMjkwNjIwODYyNjZAc210cC1yZWxheS5tYWlsaW4uZnI-fkRhbGlib3IgU29qaWMgPHNvamljQGxpdmVuZXR3b3Jrcy5taz5-MzQ4YTE1YjMtOGRjNy00ZmU3LTg3MjgtMzYzYjYxZmExZmQx&body=NTE1OTgzMDZ-c29qaWNAbGl2ZW5ldHdvcmtzLm1rfjwyMDIyMDYyOTIyMDkuMjkwNjIwODYyNjZAc210cC1yZWxheS5tYWlsaW4uZnI-fkRhbGlib3IgU29qaWMgPHNvamljQGxpdmVuZXR3b3Jrcy5taz5-MzQ4YTE1YjMtOGRjNy00ZmU3LTg3MjgtMzYzYjYxZmExZmQx>,
<https://bfdeebg.r.bh.d.sendibt3.com/tr/un/li/gPvlMzPy9CwRImzRl0hxgSzrg0aZO9FYPMvkG3o4mJKGindtpZwgJtnoYVf53RJUvlQiRSAy8GyzB1mUuVMa-O6TgXrvDXDxVUISU7a9W8kaUcONrnkDBWUaVm1kqayWEeBCwxioPQUzNHpy8Ch4ZWi088NQgALDJzq28ZR8TSVzj6BvQeYfgi3JxwC1sWPyDzTNOSOSMF60MtoAca1kOSZ3SPwyy_SreNMcyMtepeNB1tXNfzElsn1z7TG_36ia3VqSw0w>
X-SPAM-STATUS: Spam detection results: 1 BAYES_00 -1.9
Bayes spam probability is 0 to 1% DKIMWL_WL_MED -0.001 DKIMwl.org
- Medium trust sender DKIM_SIGNED 0.1 Message has a DKIM or
DK signature, not necessarily valid DKIM_VALID -0.1 Message
has at least one valid DKIM or DK signature HEADER_FROM_DIFFERENT_DOMAINS
0.249 From and EnvelopeFrom 2nd level mail domains are different
HTML_MESSAGE 0.2 HTML included in message HTTPS_HTTP_MISMATCH
0.1 - KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure
with Strict Alignment KAM_REALLYHUGEIMGSRC 0.5 Spam with image tags
with ridiculously huge http urls RCVD_IN_MSPIKE_H2 -0.001 Average
reputation (+2) RCVD_IN_UCEPROTECT1 1.5 Listed at
dnsbl-1.uceprotect.net RCVD_IN_UCEPROTECT2 1 Network listed at
dnsbl-2.uceprotect.net SPF_HELO_PASS -0.001 SPF: HELO matches SPF
record SPF_PASS -0.001 SPF: sender matches SPF record
T_SCC_BODY_TEXT_LINE -0.01 -
X-SPAM-SCORE: 1
X-SPAM-LEVEL: *
How PMG validated the DMARC/SPF?