Home / server / Questions / 1098803
In Process
John
Asked: 2022-04-18 05:25:01 +0800 CST

Does this report mean someone is attempting to send emails fraudulently or that I have things configured wrong?

  • 772

enter image description here

Pretty new to spf/dkim and dmark.

After setting this up just this morning I already got a report on a new website. Our service eamils our users via sendgrid and the rest of the emails are sent from our google workspace accounts.

Our SPF looks like the following:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

Google is authenticing the DKIM records, based on their control panel, I can only "stop authenticating" (How long should it take for google to authenticate a DKIM TXT DNS entry?)

The dmarc dns record looks like:

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=0;

So based on this I'm not sure if the screenshot report is saying I have things configured wrong, or if someone tried to send an email fraudulently.. and if it is the latter, what should I do about it?

The 2nd IP is making me think I have thinks ill-configured as it comes from sendgrid: https://whatismyipaddress.com/ip/168.245.72.219

spf dkim dmarc

2 Answers

  1. There is not enough information to determine if your configuration is correct.

    If someone is sending spam with your domain, then your current configuration could be made stronger to protect your domain's reputation.

    The SPF record should use the fail (-all) mechanism instead of the softfail (~all) mechanism.

    The DMARC policy should be p=quarantine or p=reject. Note that with p=reject, most receiving servers will silently discard messages, so if you have a configuration problem with sending, then your messages will not even arrive in a spam folder.

    • 0

  2. The main issue wie cheap services like mxtoolbox is that they do not offer all the bells and whistles that a solution like proofpoint or ondmarc offers.

    In theory, dmarc is easy: you identify all the legit services (use the reporting mode while doing it) and then set proactively the correct spf and dkim and then lock the domain down with moving to p=reject.

    in reality it's not that simple. sendgrid can also be used to impersonate a domain without dmarc, so checking this ip as sendgrids does not mean it's coming from you.

    my advise would be, if you're a small business to try your best by proactively setting it up and moving to reject, and if you're a bigger business, to invest in a proper solution.

    • 0