1 Topic by dgzagm

  • dgzagm
  • Member
  • Offline
  • Registered: 2018-03-31
  • Posts: 11

Topic: Decipher DMARC Report - sending spam?

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.5.1
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: ubuntu 20
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello.  Can someone please help me understand if my mail server is sending spam?  I'm getting a DMARC report back from Google that shows some spammy domains. 

Couple of items that peaks my interest
1. the source IP
2. passes dkim but fails spf

Thanks,
Dan

<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
  <report_metadata>
    <org_name>google.com</org_name>
    <email>noreply-dmarc-support@google.com</email>
    <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
    <report_id>765653864378551065</report_id>
    <date_range>
      <begin>1647388800</begin>
      <end>1647475199</end>
    </date_range>
  </report_metadata>
  <policy_published>
    <domain>mydomain.com</domain>
    <adkim>r</adkim>
    <aspf>r</aspf>
    <p>reject</p>
    <sp>none</sp>
    <pct>100</pct>
  </policy_published>
  <record>
    <row>
      <source_ip>2001:41d0:303:be6e::24</source_ip>
      <count>1</count>
      <policy_evaluated>
        <disposition>none</disposition>
        <dkim>pass</dkim>
        <spf>fail</spf>
      </policy_evaluated>
    </row>
    <identifiers>
      <header_from>mydomain.com</header_from>
    </identifiers>
    <auth_results>
      <dkim>
        <domain>improvmx.com</domain>
        <result>pass</result>
        <selector>dkimprovmx1</selector>
      </dkim>
      <dkim>
        <domain>mydomain.com</domain>
        <result>pass</result>
        <selector>dkim</selector>
      </dkim>
      <spf>
        <domain>stay.stayfiteathealthy.com</domain>
        <result>pass</result>
      </spf>
    </auth_results>
  </record>
</feedback>

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,082

Re: Decipher DMARC Report - sending spam?

It's clear in the XML content, just pay some attention to read and try to understand it.

3 Reply by dgzagm

  • dgzagm
  • Member
  • Offline
  • Registered: 2018-03-31
  • Posts: 11

Re: Decipher DMARC Report - sending spam?

ZhangHuangbin wrote:

It's clear in the XML content, just pay some attention to read and try to understand it.

I appreciate you taking the time to read my post.  So, a mail server improvmx.com was attempting to send spam to someone at Google.com, posing as a mail server from mydomain.com sending spam "from" stay.stayfiteathealthy.com?

And then I understand SPF failed and my DMARC config is set to reject, Google would have rejected this email.

Did I get this right?

Thanks,
Dan