Forum Discussion
Solved
DMARC, DKIM, SPF none but Composite authentication pass
Hi all, I have a email where DMARC, DKIM, SPF are marked as None, but still Composite authentication as passed. How can this be since the info of the composite authentication says: Combines multi...
According to MS docs -> If a domain doesn't have traditional SPF, DKIM, and DMARC records, those record checks don't communicate enough authentication status information. Therefore, Microsoft has developed an algorithm for implicit email authentication. This algorithm combines multiple signals into a single value called composite authentication, or compauth for short.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/email-validation-and-authentication?view=o365-worldwide#composite-authentication
Composite authentication result. Used by Microsoft 365 to combine multiple types of authentication such as SPF, DKIM, DMARC, or any other part of the message to determine whether or not the message is authenticated. Uses the From: domain as the basis of evaluation.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers?view=o365-worldwide#authentication-results-message-header-fields
well also check the FROM header of the email, I guess MS needs to disclose the other parts of the message.cheers mate
Composite Authentication is BS. Also, DMARC is only a policy, not an authentication mechanism, and it cannot be enforced-- it is only a request. FROM is not authentication-- that is the whole problem as to why SPF and DKIM were created. Anyone can pick any FROM address from and domain, Google.com, Microsoft.com, anything, if you have your own server.
Only DKIM and SPF authenticate email. Period. Nothing else.
SPF says what servers can send for a given domain, and DKIM digitally signs it for the domain, proving it is authentic and untampered.
This is why they are important. Anything else is easily faked.
Only DKIM and SPF authenticate email. Period. Nothing else.
SPF says what servers can send for a given domain, and DKIM digitally signs it for the domain, proving it is authentic and untampered.
This is why they are important. Anything else is easily faked.