[kwlug-disc] About email, SPF, question

Mikalai Birukou mb at 3nsoft.com
Fri Sep 6 10:26:12 EDT 2024 

>>> We currently have thread, where one of receiving servers keeps adding
>>> "[Possible phishing attempt]" into subject. It happens on my posts.
>>>
>>> Is it possible that kwlug.org sender isn't in my domain's SPF, and this
>>> triggers such labeling?
>
> Sort-of, but I think the real problem is your DKIM policy.
>
>>> My domain is setup to the t, like protonmail asks one to set things up.
>>> In fact, they generate DNS records for you to copy and paste (convenient
>>> admin ux).
>
> Here's what my mail provider (Fastmail) added to the headers for the
> message I'm replying to:
>
>      X-Spam-known-sender: no ("Email failed DMARC policy for domain")
>      X-Spam-sender-reputation: 500 (none)
>      X-Spam-score: 0.0
>      X-Spam-hits: BAYES_00 -1.9, DMARC_NONE 0.898, HEADER_FROM_DIFFERENT_DOMAINS 0.25,
>              MAILING_LIST_MULTI -1, ME_HAS_VSSU 0.001, ME_SENDERREP_NEUTRAL 0.001,
>              SPF_HELO_NONE 0.001, SPF_PASS -0.001, T_SCC_BODY_TEXT_LINE -0.01,
>              LANGUAGES en, BAYES_USED user, SA_VERSION 4.0.0
>      X-Spam-source: IP='199.212.143.9', Host='cpanel10.indieserve.net',
>              Country='CA',
>              FromHeader='com', MailFrom='org'
>      X-Spam-charsets: plain='utf-8'
>
> So it looks like content analysis helped the message (-1.9), but the key
> things that jumped out were:
>
> 1. DMARC_NONE 0.898
>
>      Your DMARC policy is very minimal, and instructs for no action to be
>      taken:
>
>          v=DMARC1; p=none
>
>      Compare with mine (rua & ruf omitted):
>
>          v=DMARC1; p=reject; sp=reject; pct=100; fo=1; adkim=r; aspf=r
>
>      Fastmail's spam checker reported this to be fairly suspicious on
>      it's own.
>
> 2. HEADER_FROM_DIFFERENT_DOMAINS
>
>      Your mail, via the list, is still coming from you. A lot of domains
>      that have DKIM/SPF/DMARC set up in a strict manor get rewritten
>      senders. This message you're reading will probably have the
>      following sender, instead of my proper address:
>
>          From: Chris Irwin via kwlug-disc
> [<kwlug-disc at kwlug.org>](mailto:kwlug-disc at kwlug.org)
> 3. SPF DNS Records
>
>      I also checked your SPF record, it look fine.
>
> I believe (and Paul can correct me if I'm wrong), the mail list will
> determine if rewriting the sender due to mail security is required
> "automatically". It might be tripped up on the "p=none" DKIM policy, and
> therefore doesn't rewrite your address... Resulting in 'forged' mail
> that doesn't pass SPF or DKIM checks, so looks suspicious, but with a
> DMARC policy that says to take no action...
>
> I'd suggest setting your DKIM policy to quarantine at least, letting it
> propagate (and for KWLug's list host to clear it's caches), and trying
> again.
>
> Note that Proton's docs state:
>
>      DMARC combines SPF and DKIM authentication results to prevent
>      spoofing of your domain. We recommend using “p=quarantine” policy
>      for most domains.
> https://proton.me/support/custom-domain

Right. Thank you.

Text says one thing, while all pictures say another, leading to not all t's being crossed, I guess.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20240906/ece8e762/attachment.htm>

More information about the kwlug-disc mailing list