On 5/7/20 11:08 AM, Christian Mack via mailop wrote:
Hello
Am 07.05.20 um 10:29 schrieb Evan Booyens via mailop:
According to DMARC doc's, email should obey DMARC policy if either
SPF or DKIM pass. This leads to a situation where a hijacked mailbox
can send out spam which is accepted when SPF fails as DKIM passes.
Any comments. Am I misunderstanding the DMARC policy ?
It seems it would be better to apply DMARC if either DKIM or SPF
fail, thus not weakening SPF.
When the account is hacked, why should SPF fail?
Emails are send by your email servers.
Both DKIM and SPF will be valid and DMARC does not help in such a case
at all.
Kind regards,
Christian Mack
Hi Christiaan
Often the hacked account is used to send mail from a spoofed domain. In
this case, one of the DKIM's pass and the other either fails or does not
exist, thus the mail still gets accepted, even when SPF fails. We are
finding this on spoofed banking emails where DKIM for the original
sender domain does not exist and SPF for the spoofed domain fails.
Kind Regards
Evan
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
--
Evan Booyens
Platform Engineer
xneelo (Pty) Ltd
SA Contact Centre: 0861 0861 08
International: +27 21 970 2000
<https://xneelo.co.za>
Disclaimer: xneelo.co.za/email-disclaimer
<https://xneelo.co.za/email-disclaimer>
_______________________________________________
mailop mailing list
[email protected]
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
