SPF/DMARC Insanity Check

visibleman

visibleman

visibleman

Soldato
Joined
3 Jun 2005
Posts
3,286
Location
The South
Hi all,

I've inherited a small Office 365 setup and users are complaining about the spam, which is fairly light from what i've seen.
However, a lot of the spam is the FROM field spoofing type and O365 decides to route these through Exclaimer (signatures) which adds to the 'panic'.

SPF and DMARC records are set and DKIM enabled (need to double check the selectors are set correctly) but just for my insanity, does anyone see any glaring issues with the records below?

Code: 
v=spf1 a mx ip4:{webserver_ip*} ip4:{office_ip*} include:spf.protection.outlook.com include:spf.exclaimer.net include:trustpilotservice.com -all
Code: 
v=DMARC1; p=reject; pct=100; rua=mailto:dmarc@{companydomain.com}
* for reference, there is a SMTP connector setup (with webserver and office IP whist listed) for office equipment and (i presume) for their website to use.

The only thing i can see is that the email domain A record points to the webserver IP address, so i'm guessing the 'ip4:{webserver_ip*}' is surplus to requirements?

Thanks! :)
 
Just checked the DKIM selector CNAME records and both selectors appear to be correct, however i did make the change to the DMARC record -
Code: 
_dmarc.companydomain.com 3600 IN TXT "v=DMARC1;p=reject;rua=mailto:dmarc@{companydomain.com}"


And mail-tester.com returned a 10/10 score and says DKIM and DMARC are both valid.

One thing i did spot however on the DMARC test was 'spf=none (sender IP is )' -
Code: 
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=companydomain.com [email protected] header.b=IBqKLXyM; dkim-atps=neutral
mail-tester.com; dmarc=pass header.from=companydomain.com
mail-tester.com; dkim=pass (1024-bit key; unprotected) header.d=companydomain.com [email protected] header.b=IBqKLXyM; dkim-atps=neutral
spf=none (sender IP is ) [email protected];
DKIM Domain: companydomain.com
From Domain: companydomain.com
Is this correct? As i would have thought it'd display the IP address.

Little baffled though, as everything seems to be a-ok but their still getting spoofed spam. As said, it's not much but the fact O365 routes it through Exclaimer causes the users to panic a little.

Quick question, does anyone know if it's possible to test DMARC reporting? I just want to make sure i'm receiving the reports sent to [email protected].
 
You must log in or register to reply here.
Back
Top Bottom