SPF/DMARC Insanity Check

visibleman · 30 Jan 2019 at 14:47

Hi all,

I've inherited a small Office 365 setup and users are complaining about the spam, which is fairly light from what i've seen.
However, a lot of the spam is the FROM field spoofing type and O365 decides to route these through Exclaimer (signatures) which adds to the 'panic'.

SPF and DMARC records are set and DKIM enabled (need to double check the selectors are set correctly) but just for my insanity, does anyone see any glaring issues with the records below?

Code:

v=spf1 a mx ip4:{webserver_ip*} ip4:{office_ip*} include:spf.protection.outlook.com include:spf.exclaimer.net include:trustpilotservice.com -all

Code:

v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@{companydomain.com}

* for reference, there is a SMTP connector setup (with webserver and office IP whist listed) for office equipment and (i presume) for their website to use.

The only thing i can see is that the email domain A record points to the webserver IP address, so i'm guessing the 'ip4:{webserver_ip*}' is surplus to requirements?

Thanks!

Glanza · 30 Jan 2019 at 15:39

You don't need the pct=100 tag in the dmarc record if your happy with a full reject policy.

I'd be checking if the dkim selector is setup correctly.

If you do this from one of their email addresses what results are you getting back? https://www.mail-tester.com/

visibleman · 30 Jan 2019 at 16:56

Just checked the DKIM selector CNAME records and both selectors appear to be correct, however i did make the change to the DMARC record -

Code:

_dmarc.companydomain.com 3600 IN TXT "v=DMARC1;p=reject;rua=mailto:dmarc@{companydomain.com}"

And mail-tester.com returned a 10/10 score and says DKIM and DMARC are both valid.

One thing i did spot however on the DMARC test was 'spf=none (sender IP is )' -

Code:

mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=companydomain.com [email protected] header.b=IBqKLXyM; dkim-atps=neutral
mail-tester.com; dmarc=pass header.from=companydomain.com
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=companydomain.com [email protected] header.b=IBqKLXyM; dkim-atps=neutral
spf=none (sender IP is ) [email protected];
DKIM Domain: companydomain.com
From Domain: companydomain.com

Is this correct? As i would have thought it'd display the IP address.

Little baffled though, as everything seems to be a-ok but their still getting spoofed spam. As said, it's not much but the fact O365 routes it through Exclaimer causes the users to panic a little.

Quick question, does anyone know if it's possible to test DMARC reporting? I just want to make sure i'm receiving the reports sent to [email protected].

LizardKing · 30 Jan 2019 at 17:30

I'd be interested in why its hitting exclaimer? our rule is set

Is sent to 'Outside the organization'
and Is received from 'Inside the organization'
and Is received from a member of group

which means it has to come from within our organisation to be stamped.

Do you have a dedicated dmarc reporting tool? if not there are some good free ones out there that will save you trying to made heads/tails of the xml!

It may also be worth setting a rule that says along the lines of.
if received from outside, with your domain in the from field, block (or mark).