[kwlug-disc] About email, SPF, question

Chris Irwin chris at chrisirwin.ca
Fri Sep 6 00:05:57 EDT 2024 

On Thu, Sep 05, 2024 at 11:03:00PM GMT, Mikalai Birukou wrote:
>
>> We currently have thread, where one of receiving servers keeps adding
>> "[Possible phishing attempt]" into subject. It happens on my posts.
>>
>> Is it possible that kwlug.org sender isn't in my domain's SPF, and this
>> triggers such labeling?

Sort-of, but I think the real problem is your DKIM policy.

>> My domain is setup to the t, like protonmail asks one to set things up.
>> In fact, they generate DNS records for you to copy and paste (convenient
>> admin ux).

Here's what my mail provider (Fastmail) added to the headers for the 
message I'm replying to:

     X-Spam-known-sender: no ("Email failed DMARC policy for domain")
     X-Spam-sender-reputation: 500 (none)
     X-Spam-score: 0.0
     X-Spam-hits: BAYES_00 -1.9, DMARC_NONE 0.898, HEADER_FROM_DIFFERENT_DOMAINS 0.25,
             MAILING_LIST_MULTI -1, ME_HAS_VSSU 0.001, ME_SENDERREP_NEUTRAL 0.001,
             SPF_HELO_NONE 0.001, SPF_PASS -0.001, T_SCC_BODY_TEXT_LINE -0.01,
             LANGUAGES en, BAYES_USED user, SA_VERSION 4.0.0
     X-Spam-source: IP='199.212.143.9', Host='cpanel10.indieserve.net',
             Country='CA',
             FromHeader='com', MailFrom='org'
     X-Spam-charsets: plain='utf-8'

So it looks like content analysis helped the message (-1.9), but the key 
things that jumped out were:

1. DMARC_NONE 0.898

     Your DMARC policy is very minimal, and instructs for no action to be 
     taken:

         v=DMARC1; p=none

     Compare with mine (rua & ruf omitted):

         v=DMARC1; p=reject; sp=reject; pct=100; fo=1; adkim=r; aspf=r

     Fastmail's spam checker reported this to be fairly suspicious on 
     it's own.

2. HEADER_FROM_DIFFERENT_DOMAINS

     Your mail, via the list, is still coming from you. A lot of domains 
     that have DKIM/SPF/DMARC set up in a strict manor get rewritten 
     senders. This message you're reading will probably have the 
     following sender, instead of my proper address:

         From: Chris Irwin via kwlug-disc <kwlug-disc at kwlug.org>

3. SPF DNS Records

     I also checked your SPF record, it look fine.

I believe (and Paul can correct me if I'm wrong), the mail list will 
determine if rewriting the sender due to mail security is required 
"automatically". It might be tripped up on the "p=none" DKIM policy, and 
therefore doesn't rewrite your address... Resulting in 'forged' mail 
that doesn't pass SPF or DKIM checks, so looks suspicious, but with a 
DMARC policy that says to take no action...

I'd suggest setting your DKIM policy to quarantine at least, letting it 
propagate (and for KWLug's list host to clear it's caches), and trying 
again.

Note that Proton's docs state:

     DMARC combines SPF and DKIM authentication results to prevent 
     spoofing of your domain. We recommend using “p=quarantine” policy 
     for most domains.

     https://proton.me/support/custom-domain

-- 
Chris Irwin

email:   chris at chrisirwin.ca
  xmpp:   chris at chrisirwin.ca
   web: https://chrisirwin.ca

More information about the kwlug-disc mailing list