Topics

moderated DKIM signature in use in Moldava? #bug


Mark Berry
 

I posted this in the Group Managers forum and a members suggested I post it here.

I'm working on setting up DMARC on my domain, obfuscated here as mydomain.com.

For a few days after I started posting in the Group Managers forum, I was getting reports of thousands of would-be failures for email sent from Moldava. I found a raw report with the Moldavan IP address. I don't quite understand the <auth_results> section:  it looks like DKIM is passing using the groups.io signature, but the foreign IP (bleza(dot)skilldivinet(dot)net) is passing on SPF. Are they somehow spoofing the groups.io DKIM signature? Here is the report, with the questionable section in bold:

<?xml version="1.0"?>    
<feedback>    
  <report_metadata>    
    <org_name>Yahoo! Inc.</org_name>    
    <email>postmaster(at)dmarc.yahoo.com</email>    
    <report_id>1596936350.redacted</report_id>    
    <date_range>    
      <begin>1596844800</begin>    
      <end>1596931199</end>    
    </date_range>    
  </report_metadata>    
  <policy_published>    
    <domain>mydomain.com</domain>    
    <adkim>r</adkim>    
    <aspf>r</aspf>    
    <p>none</p>    
    <pct>100</pct>    
  </policy_published>    
  <record>    
    <row>    
      <source_ip>194.50.188.140</source_ip>    
      <count>1896</count>    
      <policy_evaluated>    
        <disposition>none</disposition>    
        <dkim>fail</dkim>    
        <spf>fail</spf>    
      </policy_evaluated>    
    </row>    
    <identifiers>    
      <header_from>mydomain.com</header_from>    
    </identifiers>    
    <auth_results>    
      <dkim>    
        <domain>groups.io</domain>    
        <result>pass</result>    
      </dkim>    
      <spf>    
        <domain>bleza.skilldivine.net</domain>    
        <result>pass</result>    
      </spf>    
    </auth_results>    
  </record>    
</feedback>    
 
The only groups.io DKIM TXT record I know of is 20140610._domainkey.groups.io. If that is a date stamp, perhaps it's time to rotate the key?

Regards,

Mark Berry


Jim Wilson
 

@Mark Berry, it just occurred to me that perhaps the "pass" result in the "auth_results, dkim" section is simply confirming that a valid DKIM record was found for the "groups.io" domain.

Sorry, I only thought of this after I realized the "policy evaluated" section shows "fail" in the "dkim" section and appears to be (rightly) determining that the DKIM is invalid. I'm trying to find the relevant docs that may explain this.

What I don't understand is why the "source ip" does not show up on any block list yet. :(
--
Jim


Mark Berry
 

I believe the failures in the "policy evaluated" section are what MxToolbox calls alignment failures. Which kinda makes sense, if a third party is signing email with a spoofed certificate but not actually sending from that certificate's domain. (If that's what misalignment means.) Here is their report on that XML: