DMARC Fail but mail ends up in Inbox

I was testing the filtering policies of MIAB by sending mail through my ISP’s email server with a From: and Envelope Sender address in my domain.

The mail ended up in my Inbox despite being marked correctly with a DMARC fail.

Authentication-Results: box.timothydutton.co.uk; dmarc=fail header.from=timothydutton.co.uk

Admittedly the From: and the To: addresses were both for the actual email address for the account.

e.g.

mail from: <joebloggs@timothydutton.co.uk>
rcpt to: <joebloggs@timothydutton.co.uk>

From: <joebloggs@timothydutton.co.uk>
To: <joebloggs@timothydutton.co.uk>

Note: Not my real email address.

Ravenstar68

Edit - I note also that there are no SPF check results showing in the trace headers.

I’ve done some testing with an ntlworld.com customer today and although the DMARC shows as fail the mail still ended up in my inbox.

For the record here’s Virgin Media’s current DMARC policy for ntlworld.com

_dmarc.ntlworld.com.    900     IN      TXT     "v=DMARC1; p=quarantine; rua=mailto:dmarc-uk-rua@upcmail.net,mailto:jn2qdxcl@ag.dmarcian-eu.com; ruf=mailto:jn2qdxcl@fr.dmarcian-eu.com;"

And here’s the relevant headers from the inbound mail.

Return-Path: SRS0=CbP/0T=BO=ntlworld.com=bikeart@srs.bis711.eu.blackberry.com
Delivered-To: me@ravenstar68.co.uk
Received: from box.timothydutton.co.uk ([127.0.0.1])
by box.timothydutton.co.uk (Dovecot) with LMTP id jxGgOW8u41kONgAAqnml9w
for me@ravenstar68.co.uk; Sun, 15 Oct 2017 10:46:23 +0100
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
box.timothydutton.co.uk
X-Spam-Level:
X-Spam-Status: No, score=-6.3 required=5.0 tests=BODY_URI_ONLY,
FSL_HELO_BARE_IP_2,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H2 autolearn=ham
autolearn_force=no version=3.4.0
X-Spam-Report:

  • -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at http://www.dnswl.org/, high
  •  trust
    
  •  [178.239.85.8 listed in list.dnswl.org]
    
  • -2.8 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2)
  •  [178.239.85.8 listed in wl.mailspike.net]
    
  • 1.5 FSL_HELO_BARE_IP_2 No description available.
  • 0.0 BODY_URI_ONLY Message body is only a URI in one line of text or for
  •  an image
    

Received: from smtp03.bis7.eu.blackberry.com (smtp03.bis7.eu.blackberry.com [178.239.85.8])
by box.timothydutton.co.uk (Postfix) with ESMTP id 7C9191203A1
for me@ravenstar68.co.uk; Sun, 15 Oct 2017 10:46:22 +0100 (BST)
Authentication-Results: box.timothydutton.co.uk; dmarc=fail header.from=ntlworld.com
Received: from b2.c1.bise711.blackberry ([192.168.0.102])
by srs.bis711.eu.blackberry.com (8.13.7 TEAMON/8.13.7) with ESMTP id v9F9kLNv013232
for me@ravenstar68.co.uk; Sun, 15 Oct 2017 09:46:21 GMT
Received: from 172.19.195.191 (cmp21.c1.bise711.blackberry [172.19.195.191])
by b2.c1.bise711.blackberry (8.13.7 TEAMON/8.13.7) with ESMTP id v9F9kLCW006514
for me@ravenstar68.co.uk; Sun, 15 Oct 2017 09:46:21 GMT

Can anyone assist with explaining this behaviour?

Thanks in advance

Tim

We don’t reject mail because of SPF/DMARC failures.

Can you explain why?

The DMARC specification mandates the use of both SPF and DKIM, with DKIM pass superseding for example an SPF fail.

I know about the issues caused by email forwarders.

Failures in legitimate mail are still somewhat common, and no one has taken the time to a) investigate whether this will do more good than harm, and b) actually implement it.

The problem is that SPF on it’s own is not enough to deal with mail forwarders. In fact reading the DMARC RFC makes me realise that some solutions that were considered in the original SPF specifications are no longer valid.

For instance:

SPF was set up to be run against the mail from: address of the SMTP transaction. A way of mitigating this was to encourage forwarders to use sender address rewriting. Certainly, under the SPF RFC’s that email should have passed as the mail from: address was that of Blackberry’s servers which from the address shown is actually employing Sender rewriting.

However the DMARC specification moves the SPF check so it’s done against the Authors Email address, i.e. the address in the From: field. The problem is that the mail was never put through Virgin Media’s smtp servers in the first place, as if it had, there would be a valid DKIM signature. This means that SRS is no longer a valid for mail forwarders to overcome the faults in SPF itself.

However failure to quarantine the mail does mean that it’s still possible for Spammers to spoof the domain so while I understand your thoughts, I do think the decision needs reviewing. as unwary users might take comfort in the fact that the mail ended up in their inbox and be less cautious than they should be.

Tim

As I said, someone has to put in the time to do the research to determine if it’s going to do more good than harm. This isn’t something you can determine just by reading RFCs.

I have done a little more checking. And I’ve decided to enable rejects in the opendmarc.conf file. I appreciate that this will change the next time Mail-In-A-Box is updated. But I want to try it out.

I have a yahoo.co.uk email address and I set up forwarding from a Virginmedia.com address to one of my own personal domain addresses.

I then sent a mail from Yahoo to Virgin Media and the copy arrived in my inbox with a DMARC pass due to the DKIM still being correct.

I did then send a mail manually through smtp.blueyonder.co.uk with a From: address and mail from: address of my yahoo.co.uk address. With the reject policy enabled the mail was bounced as per yahoo’s DMARC policy.

The real research that needs doing though is just how many domains currently have DKIM enabled. I know some think of it as a waste of time. Certainly if they ONLY use SPF and DMARC together, they’re in for a world of hurt.
From what I can see, For anti spoofing to work properly.
Messages Must be DKIM signed by the authors domain.
SPF needs to be set to catch spoofed messages from third party servers as these are not likely to be DKIM signed, so the DKIM check would be neutral.

Tim