Why are my users getting spoofed messages when I have SPF, DMARC, DKIM enabled?

Copper Contributor

Recently, I had a user forward an email to me that was from a spoofed email account in our organization (the email was from an outside email server and had been relayed off another mail server with a spoofed Mail From).

According to MX Toolbox's header analyzer, the message failed these tests which should cause the message to be rejected:

 

SPF check failed 

DKIM check failed

DMARC check failed

 

For example, our SPF records designate anything that does not originate from Office365 or our company network should be rejected. This did not work.

I have DKIM and DMARC setup, as well, and all of these services are authenticated in the Office365 system.

 

What's going on?

8 Replies

Well it seems to me like the message was correctly identified as spam/spoof, what is most likely happening is that a "safe sender" setting is interfering, either on the user or tenant level. You should also check the high/low confidence spam action settings. What are the message SCL and PCL scores?

I checked the recipients settings and none of the originating domains are on their safe senders list. 

 

Someone in another forum mentioned an exploit in which an outside user can setup a connector on their O365 and it could cause the message to bypass O365 spam detection. I am not familliar with this exploit.

 

I have relay set to only allow from our onsite IP address range.

 

The forums won't let me attach the header as a txt file. I've scrubbed the sensitive information from our end and pasted the header below:

 

Received: from SN6PR07MB4365.namprd07.prod.outlook.com (2603:10b6:405:5e::42)
by BN7PR07MB4353.namprd07.prod.outlook.com with HTTPS via
BN6PR2201CA0029.NAMPRD22.PROD.OUTLOOK.COM; Fri, 18 Jan 2019 22:27:40 +0000
Received: from BYAPR07CA0028.namprd07.prod.outlook.com (2603:10b6:a02:bc::41)
by SN6PR07MB4365.namprd07.prod.outlook.com (2603:10b6:805:57::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.15; Fri, 18 Jan
2019 22:27:38 +0000
Received: from CO1NAM04FT022.eop-NAM04.prod.protection.outlook.com
(2a01:111:f400:7e4d::209) by BYAPR07CA0028.outlook.office365.com
(2603:10b6:a02:bc::41) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1537.27 via Frontend
Transport; Fri, 18 Jan 2019 22:27:38 +0000
Authentication-Results: spf=none (sender IP is 212.124.108.234)
smtp.mailfrom=productos.com.co; MYDOMAIN.com; dkim=none (message not signed)
header.d=none;MYDOMAIN.com; dmarc=fail action=oreject
header.from=MYDOMAIN.com;compauth=fail reason=000
Received-SPF: None (protection.outlook.com: productos.com.co does not
designate permitted sender hosts)
Received: from mail.comsisnet.com (212.124.108.234) by
CO1NAM04FT022.mail.protection.outlook.com (10.152.90.167) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
15.20.1471.13 via Frontend Transport; Fri, 18 Jan 2019 22:27:37 +0000
Received: from localhost (localhost [127.0.0.1])
by mail.comsisnet.com (Postfix) with ESMTP id 54F7E142364
for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:51 -0500 (-05)
Received: from mail.comsisnet.com ([127.0.0.1])
by localhost (mail.comsisnet.com [127.0.0.1]) (amavisd-new, port 10032)
with ESMTP id P9-3v-WMDoiW for <USER1@MYDOMAIN.com>;
Fri, 18 Jan 2019 17:45:50 -0500 (-05)
Received: from localhost (localhost [127.0.0.1])
by mail.comsisnet.com (Postfix) with ESMTP id 5E6A21500A6
for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:50 -0500 (-05)
X-Virus-Scanned: amavisd-new at mail.comsisnet.com
Received: from mail.comsisnet.com ([127.0.0.1])
by localhost (mail.comsisnet.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id 3nVxwu90PFrP for <USER1@MYDOMAIN.com>;
Fri, 18 Jan 2019 17:45:50 -0500 (-05)
Received: from 10.9.20.26 (200-71-186-82.static.telcel.net.ve [200.71.186.82])
by mail.comsisnet.com (Postfix) with ESMTPSA id 9A23FCAED5
for <USER1@MYDOMAIN.com>; Fri, 18 Jan 2019 17:45:49 -0500 (-05)
Date: Fri, 18 Jan 2019 18:23:16 -0400
From: USER 2 <USER2@MYDOMAIN.com>
To: <USER1@MYDOMAIN.com>
Message-ID: <15555712253192518038.5BA1A4B9EA82CFB4@MYDOMAIN.com>
Subject: Artwork & Invoice
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_8115_1960952945.12853567193974151674"
Return-Path: carolina.valencia@productos.com.co
X-MS-Exchange-Organization-ExpirationStartTime: 18 Jan 2019 22:27:37.8449
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id:
a18157f4-a1d7-4661-fe7c-08d67d9426c2
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 102ad7f5-fd33-4fd4-b34f-eedc37df348f:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report:
CIP:212.124.108.234;IPV:NLI;CTRY:US;EFV:NLI;SFV:SKA;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:SN6PR07MB4365;H:mail.comsisnet.com;FPR:;SPF:None;LANG:en;
X-Microsoft-Exchange-Diagnostics:
1;CO1NAM04FT022;1:HetE1O0Ly62Uc4ODb0wwC7QPG4y+JY1LLL3tWWRXaXHq+oU0TKgJAtvka1SEPee9ATNa99agkSbVGFNCOAh8SIZd+7K5KQZPleV+vcqtHXxidfC+6H2VGCes0efX2npe
X-MS-Exchange-Organization-AuthSource:
CO1NAM04FT022.eop-NAM04.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a18157f4-a1d7-4661-fe7c-08d67d9426c2
X-Microsoft-Antispam:
BCL:6;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600109)(711020)(4605076)(4710035)(4613076)(4712035)(1401299)(1421009)(1403068)(71702078);SRVR:SN6PR07MB4365;
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;3:SAAPgOnyRygJ1+YuHGTr9aa/QB25t8uIv5VgVYiTMYvoMxrQCeASm4PubeMRmFaLI8tOTR1EygwgHk3c7le0cioIGeV+wwVH86lmTNaiqDtR5gWZlSf3TL4rcCb6beTU4OAGLGLjJsR7bs7kdaG320Icx6pxHlf9F5lh9B6eFfs3wCE5K4qkNbKjxTYtw/wM5SOuS0+F48siz6YSzx8xHbhBDDXBwhuWERZFmjjhk32uu7jI8cJo5yQy5FWW4hIYUeWtkNIzemA610g9WQigmeKP5y/KL5p8tS85z5Z/uzQUYlRM0Cx6IdOvOcFC7y1yJVbMq1WrHEvSWxBk7F5bnqyeBmzle1QGffZdReHw1AyAq8ONWOPsOdqLi2gvkhbi;25:dPfpFddorovPpeJ3BeT+/tpItJa0Jw5f0fxgsA22DS8PfIvxGPT/JJQcRWgukj3mw7oC+aqzkDv8lHyFu6BgGJv5ggsWLXWJHax4Xzb+IkM6P/pQB9fFvVi6ecfzRZQ2Oj2nedp/jfa3W3vlaWWSuTCjQlhA8peAXLsSA4k2Zx63ooQh7j7eDZzE3y8G9cTLlZXUzu4xGJGBNjrm4DzNVLNqxuGEP/wowZCBs188nH/SjmYFIdA8CEswtwgU6a6Ibwihp4AGaUmMeslUDOyRMaosbDNb2l18zRvDQSB/AffqdBv5cx/OJzSbeSRkct85J+sk93/4k9xMY3vQEuryrg==
X-MS-TrafficTypeDiagnostic: SN6PR07MB4365:
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;31:TOWhrRMQaIcGDF+skb073rVtd8jj1aLHbl5AVW83q1R0lBXVXaLe/p77d0X+5FO5Dc/YhEJS2gCNuw2peZOfexNXK5aFvgHv8Ka71yEpmCOtYRWQYDA0DrxewwShVQaiCE2w7grqDahEczviUIp618ni5O5DRvn3mu5FRU6QhDhYa4cSf0aA7W6CahMgI6l8yzf6UXh1QehgP7Zzma+JGs8cxjwVhwqMCUt1AiQ2llk=;20:E40xDM1aMHaHYRFTEHMviqZVkzbktzOuyAzunVXjtstPdNi5L2JDT0aSVG2JwZqkTKQD6kugNxLCfXzW37CHhzxpHfwrMwmK6B/OSC3FVEON5tMsfuWP3EJQvlzfV03HuqtpJGvbQ/U1gxY7rgNbEb/FzYSaHZ4E5/h/zpJtrFnTZ1K+6x3OyIXxi7xO8XilvxQKMpWRYvBgEsh/n0vuvrOnyUYYTzsuQHUQPPa+jjVGDJRYceR/PqLgemRaWRLwdJjWgKitIdHzPNMyqcUz+Qw1+CdCjq27za1u0H4RrWmVmEAyxWvCnWz6kT1YoaK5aWwaul1sH6SQ6rCT3/yw/4W5eOf2Y4NX+XiLIRSS5LAfL2Dr8Jmn1RWtL0njXf56fKQePJGk/xBbKGubQOnGsUFnTK6RBUEQY2Nj6hN4X4VZO60ySMx7E6s0rvZ3hjz/EukKiMZGYoRxJQzEU1zQ9fhrOpmcc8uecKb+8LbBqVX1FzzusaIlkuidJZ7RYxz9
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;4:XXK2U0utE4eihRl+6nfj89bKk5H2f1YnDAjj3AUzPonFPt8mkc6XVoZ6Z7Fv4Sz1GVzFKpbHCT5FKfXQKOg2ha9l9dffidn5fMBkpPK2I2d+e04Y5/2JRxRG/CYs7MInk8UGGBK9V9PJmC1mjKrsJyQpHQcfFuCVlaN9Be2tr3dIIidoELjZB3TwozoPbWpZIuBFtOYTFr4LEHCsbNa9MPxoZeygblSCapzPHZECCujlODsPk+QV47+JzbXnvlxss7SH/qRNZIxn2iRPSVo7rG0KAxmdZaoo/CpXgr/0HrM=;23:o5/vXLQyVr0AyciuC8JiIy96umJ2gni5j1NBUpfLuoanzS7081pYRNiMrFx16AAaYpy6vYe+kY8nUiIpuRu01Up9ahI7n5naqHquo4k5jBG6vazdwTnAPObJDXO7vpe9mGGociIl5Tur8HCpSwPh4g==;6:OCj8uVnrLCZTtQy2N/vPaxa2Ve6FG9rGyMsoVhdTRQ//6S2Qhw/dko34MUDJ2pfwDf9TaO9zVpwI5LJTA6iZFMQo0JwK9cefTH+C85u9E+RD4/rKH/5pXOFdH/qWyyT5g0N0dOT1y3/xJ2Jz5gO0zc9KJ8MkG8+z0eeLQYCk3RXtQqWhsl9o8a300mYBP3YHm9vxuk2cDsN+c6gf4r0goM+jHUv5KaJlnedTwI9T9mKxfoDPdSzFEmc71nUwb6+s8ft9m2WTxIOBBQXKKFVAOIqqb90KRdcuFJGztySzISTfA0//UwS7Xbo9VxFhtZ3gh6oAbByD1s0UtWSEBle3LGyzwIsTg94CqReu5mZ29+jzi0l8XBGM3GlWl4CRIfKsuTy5HIE6hEmfOYdkCP5ytC5Xaxe5gGSU46BERIkPZCE5koV5Y75pi1Pxf8fnXUKoBwkrzp/60qO4QtvRsEA87A==
X-MS-Exchange-Organization-SCL: -1
X-Microsoft-Exchange-Diagnostics:
1;SN6PR07MB4365;5:0/6sqEzZAyxxLh6t6KDX8CBBunjNuxcp/IRzPFgeVOHkgsM7qlJg28dGeCQL0jK/NvLgrCHop9lydRUzyBzzG9MG7pTxxetkrqLWHBXyfIIiGuE8TPq9VN0XsiyxgbHt8wF2NJMrZD7yJwwg7sbBch8tw3XDqUgSFFOR6NTujcJRLR+3mMYWmqbUPimdAJsw9RFnNFPikcpWD/dPG9ToJA==;7:IRLonrA/Dbx7XhS47Z09qQEN9fWRD3J5W8WLC00M0W1/JyjoEs+jogJtJwvEJchuC9lDoMsIAc8YGy6kuomzFcprGhvW+MqRCk6j7o6pJgLk+Al3byxMV7I+3qH434wLQP69yh4cQjh6j3LggkSt7g==
SpamDiagnosticOutput: 1:24
SpamDiagnosticMetadata: Default
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Jan 2019 22:27:37.4386
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a18157f4-a1d7-4661-fe7c-08d67d9426c2
X-MS-Exchange-CrossTenant-Id: 102ad7f5-fd33-4fd4-b34f-eedc37df348f
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR07MB4365
X-MS-Exchange-Transport-EndToEndLatency: 00:00:03.0870920
X-MS-Exchange-Processed-By-BccFoldering: 15.20.1537.000
X-Microsoft-Exchange-Diagnostics:
1;BN7PR07MB4353;9:vPW6TAGyoKmb/FJQBPVY2+xOp+Ptc66QuJdyG5sYNFpZ6ejy/Blsr0s3/MC6VUeW9mWM+hahisDL1cMRMz5INpJy7IVLoBGAnARurykW3Ob/DFWzzUTzOje0ghf5a+sQeffG24rH/SCxwsfP3yjeo/aXvuQHRi7JEx3wC3SPzaw=
X-Microsoft-Antispam-Mailbox-Delivery:
ucf:1;jmr:0;ex:0;auth:0;dest:I;OFR:CustomRules;ENG:(750119)(520011016);
X-Microsoft-Antispam-Message-Info:
=?us-ascii?Q?kEeHv/iVZpomnhw0iCk5nqiMosnyimPbjrt5QRXze+EhYq6YxG1NH5j5ejJe?=
=?us-ascii?Q?fxhlIOlt3D6Wcwr7p0E5106e+VwVjNsJJn0Y+EsyqgTjdvajP68jiUZ3cDRh?=
=?us-ascii?Q?QhLEHuzRruvqsfK3LIV/jyjXsncqW0zhRsLX0tJgFOQkzppIwsM2y0oXbb6i?=
=?us-ascii?Q?uOAoGuhk+S1CPagXWtChh4aa4v47BPzaunz+GDVtnlrvjP+LWYoEmGf7T2bP?=
=?us-ascii?Q?jyQNbSriIVaWyCsTHmlBdB/34QvXBIoaHMOBm0nlaliff5K/HiuTODZ3T/OD?=
=?us-ascii?Q?4fIcqvMJj3Uf5E+TlrzQ4dQR8+DmepMYqD4iXdUM5riod49/AuSfvklIwyJC?=
=?us-ascii?Q?VfqzntPY0JRWSbSEGq400wpYlsuXv1L7el2IUGRewbO1q+dtq5JkhIjwUp99?=
=?us-ascii?Q?w3C6QS9PjuT5MxJAJYMxJ3FbOpiSFAr7bK5q8IMVCoH8yiQ2/CKXHnIGt2De?=
=?us-ascii?Q?Ks+eyA+uW8dMswNN8JwnnzQB3lCRDkFQu0XTpeLWaS/ychL6RBi01fZeSDCX?=
=?us-ascii?Q?saggQUxOVB8Os7c/HYF16N1CWblg3gfPYFzHi1nKgp1we4lgq84yZ9UNpnY1?=
=?us-ascii?Q?ju2Cag0WkXdIRgsC4NYN5pkw8CgN/WekHx3YIqH2ufT60d1gkruI2F43Q7Ev?=
=?us-ascii?Q?mDsKygT6F/LdTsD5rNfDMe1X9niZ2vIHbQ1M3DoU1XWaw3xPA/dnlNKM45rL?=
=?us-ascii?Q?bfoJmXZchUKgeKeUYGo70naHuOVqTZKLgc5jPOULnKzeWY1aud9EXyN8wsH3?=
=?us-ascii?Q?v9yHtAXiKz8r/Of3EOSiJxAgtC1uW0YoUsYLOedwj/j5OZanq/g4nf+idkSO?=
=?us-ascii?Q?wIXS9fuxKlsmLmCyFqD1rMIxvWpXVdFp9X7WdUuAwtG6zvvartw+vowxoUJk?=
=?us-ascii?Q?GccnsNESr9YLzzWfVONq30XbQjVj/BvXr4pmhCNQsEfsLkdFUKj1pDRowcfD?=
=?us-ascii?Q?cCBLkbQJ7Nmn0MAxNR5UnEXvXsTJn+So00J7wfrlOmerdJK+dZkavdBL/LWh?=
=?us-ascii?Q?36PuR64ej5IUzKMFIe50cFQ6Fe1FpA95N1qzD01lvYaybbpeYqkJKn7TxDhf?=
=?us-ascii?Q?RFoveqSvyXxOSJ7/ZTpcQqB8UWHPczJybbAtyfi/OFRlG9KzS9uqDYY5Kvmu?=
=?us-ascii?Q?HgZJJHNj97+I4mQWL3U2BwRnOhi+jcDXVWVi7QQrjjDx1us0HgVtwQYyfaN4?=
=?us-ascii?Q?3J61V3g+oUBOWnAwERRzmFA47hoCCdl0YZig2J/2yJu8PgssKHKbyrZv3t3W?=
=?us-ascii?Q?/lAum8CThg1iz55MDMe3wygELJAQN/O7HHf9osnD30fWIkP4JpKVNOci4JPE?=
=?us-ascii?Q?WoI=3D?=
X-Microsoft-Exchange-Diagnostics:
1;BN7PR07MB4353;27:pzBSGxd+Q+Wcz1YLQB6EoAIiu5QhoXf0Rcxz40L9UNH92GqZtxLPvSNuMCJaewB5FNLmfvFopndOHEF9HDMi6JclbtceGCWiN/dh1i4WImIQRBX1zbxRhujhF/9wNzylC8tTdHesMrjnKBW2h4D84sBzncuoQIcERuxHqIh42I+sbPGnVDP7ylOhgCA97bG+n5pnKtQkCnAHq4z6MQfsXD0/z6Z88RQOZ2ex09tBec9IA/OKispaVBVaLezIuaY1LLS+wGzp1PyvHcrFDisdR+ZVgSjSJcmQIWKGAm6WqsJ7FYFaxvEa5X204XR/Kw5jEDjp6AZ01t4UeZR6M/NcPCrowriZf6VcTAcsOgtYKphr/kYVNlpwASWRDOA+Skv1

 


X-Microsoft-Antispam:
BCL:6;PCL:0;RULEID:(2390118)(7020095)(4652040)(5600109)(711020)(4605076)(4710035)(4613076)(4712035)(1401299)(1421009)(1403068)(71702078);SRVR:SN6PR07MB4365;

 

X-MS-Exchange-Organization-SCL: -1

 

 

 

Anybody else with any ideas? This is a serious security issue, especially if the exploit I mentioned above is real.

Not sure if this is still true but I found an old post in a message group that Microsoft ignores DMARC values because of concern that too many companies screw up their DMARC and it would lead to too many returned messages.

http://lists.dmarc.org/pipermail/dmarc-discuss/2015-November/003327.html

 

I know that a lot of other email providers do. When I first set it up, I set the reporting component up to send reports to me and I got reports from hosts like Yahoo and Comcast.

The SCL score of this message is -1, meaning that the anti-spam action was bypassed due to "trusted sender" or similar exception, as suspected. In particular, the SFV:SKA value indicates, that you have allow list as detailed here: https://docs.microsoft.com/en-us/office365/securitycompliance/anti-spam-message-headers

 

SFV:SKA The message skipped filtering and was delivered to the inbox because it matched an allow list in the spam filter policy, such as the Sender allow list.

 

There's nothing wrong on Microsoft side, it's admin/user configuration that is allowing this message to pass through the antispam filter. Check your policy settings, transport rules and the mailbox settings.

I don't have any of those things enabled related to the original servers where the message originated.

 

carolina.valencia@productos.com.co does not appear in the user's safe sender list

We have no tunnels on our end related to mail.comsisnet.com (212.124.108.234) 

 

My guess is that Microsoft is seeing that spoofed address as the sender and letting everything through since the spoofed address is in my org.

Did you ever resolve this issue? It started happening to one of my users on December 12, 2022. Had never had that before, and none of my settings have been changed.

Hi @IJN007, as far as I know this has to do with the fact that Microsoft doesn't reject dmarc failures by default. These messages are tagged with action=oreject, which means the reject is overridden. You could bypass that behaviour as described in the following article: https://knowledge.ondmarc.redsift.com/en/articles/4612788-how-to-make-office-365-reject-emails-that-...