Why are spoofed emails passing DMARC authentication with IPv6?

Key findings

• Authentication process: Emails passing DMARC typically means that either SPF or DKIM (or both) have passed authentication and achieved alignment with the From: domain in the email header.
• IPv6 addresses: SPF records should explicitly list authorized IPv6 addresses (or ranges) that are permitted to send emails on behalf of the domain. If a spoofed email originates from an IPv6 address included in a legitimate SPF record, it could pass SPF.
• Header rewriting: In cases of forwarding, intermediary mail servers might rewrite headers, potentially impacting how DMARC authenticates the email, but for a true spoof to pass DMARC, the rewritten headers would still need to align. Email security protocols are complex.
• Legitimate domains used by attackers: Attackers may exploit vulnerabilities or misconfigurations in legitimate sending services that are authorized to send mail for major brands, thereby using their properly authenticated infrastructure to send spam or phishing emails.

Key considerations

• Review SPF records: Ensure your SPF records are comprehensive and include all legitimate IPv6 sending sources, while strictly defining what is authorized. Regularly review your SPF record.
• Strict DMARC policy: For domains where spoofing is a concern, consider moving to a DMARC policy of p=quarantine or p=reject to instruct receiving servers on how to handle non-aligned emails.
• DMARC reporting: Utilize DMARC aggregate and forensic reports to identify unauthorized sending sources and investigate authentication failures. These reports are key to understanding the full scope of email activity under your domain.
• Brand monitoring: Even with DMARC, always monitor for phishing campaigns that leverage your brand. Sophisticated attacks may still occasionally bypass filters if they exploit niche configurations or vulnerabilities.

Key opinions

• DMARC expectation: Marketers expect DMARC to prevent spoofed emails, so when one passes, it raises questions about the effectiveness of the setup, even if the technical headers show alignment.
• Forwarding complexities: The potential for header rewriting during forwarding can obscure the true origin of an email, making it harder to diagnose authentication outcomes.
• User experience: Even if technically authenticated, a user receiving a suspicious email from a legitimate domain (like Microsoft) might hesitate to block it, leading to increased risk of engagement with malicious content.
• Content is king: While authentication is crucial, marketers recognize that the content of the email often provides the clearest indicators of spoofing, especially when technical headers pass.

Key considerations

• Monitor DMARC reports: Regularly analyze DMARC aggregate reports to understand which sources are sending email on behalf of your domain, including those using IPv6.
• Educate users: Inform customers and internal teams about common phishing tactics and how to identify suspicious emails, even if they appear legitimate in terms of sender domain.
• Review authentication setup: Periodically check your SPF, DKIM, and DMARC configurations to ensure they are optimal and account for all legitimate sending paths, including IPv6. This can help prevent legitimate email from failing DMARC.
• Leverage reporting tools: Use tools that help analyze DMARC reports to spot anomalies or trends, such as spoofed messages with passing authentication. Email spoof-proofing is critical.

Key opinions

• Alignment is key: If SPF or DKIM passes and aligns with the organizational domain in the From: header, DMARC will pass. This is fundamental to its operation.
• Forwarding impact: Email forwarding services can complicate authentication, sometimes leading to DMARC failure if they modify headers in a way that breaks alignment, or surprisingly, a pass if they preserve it correctly but for a spoofed source.
• Source compromise: Spoofed emails passing DMARC often imply that the attacker is sending through an authorized, but possibly compromised, legitimate sending platform. This is a supply chain attack rather than a DMARC failure.
• Content analysis: Even with passing authentication, experts stress the importance of content and sender behavior analysis to identify sophisticated spoofing attempts.

Key considerations

• Thorough header analysis: When investigating spoofed emails that pass DMARC, a deep dive into the full email headers is necessary to identify the exact path and authentication steps. This helps understand how phishing emails bypass SPF and DKIM.
• Vendor collaboration: If emails from major platforms (like Microsoft or Disney) are being spoofed and passing DMARC, it may indicate a need to communicate with those platforms about potential vulnerabilities or misconfigurations on their end. They often have specific DMARC solutions for their services.
• Monitor blocklists: Even if DMARC passes, the IPs or domains involved in sending spoofed mail might end up on blocklists. Regularly checking email blocklists can help identify compromised sources.
• Advanced threat detection: Relying solely on DMARC is insufficient. Implement layered security measures, including content-based filtering and behavioral analysis, to catch sophisticated phishing attempts.

Key findings

• DMARC requirement: For DMARC to pass, an email must pass either SPF or DKIM authentication, and the authenticated domain must align with the From: header domain (RFC5322.From).
• SPF and IPv6: SPF (Sender Policy Framework) records can include both IPv4 and IPv6 addresses in their a or ip6 mechanisms to designate authorized sending IPs.
• ARC (Authenticated Received Chain): ARC can preserve authentication results across hops, meaning if an email passes DMARC at the first hop (e.g., through a mailing list or forwarding service), subsequent hops can validate this via ARC, even if SPF/DKIM might break.
• Policy enforcement: A DMARC policy of p=reject or p=quarantine instructs receivers to act on failures, but this relies on the receiver implementing the policy correctly.

Key considerations

• Accurate SPF records: Ensure your SPF record precisely lists all authorized sending IPs, including IPv6 ranges, to prevent unauthorized senders from passing SPF. The role of SPF lookups is critical here.
• DMARC policy application: Understand that a p=none policy provides only reporting, not enforcement. To combat spoofing, you must advance your policy.
• Subdomain handling: DMARC policies can apply to subdomains, or be overridden by a sp tag, which is crucial for preventing spoofing on different parts of your domain, ensuring a strong DMARC configuration.
• Reporting and analysis: Regularly review DMARC reports to identify legitimate senders you may have missed, as well as unauthorized senders (including those using IPv6) that might be exploiting your domain.