CODEWITHSUNDEEP
emailgmailspfdmarc
ainvehi
ainvehi

Reputation: 41

DMARC behaviour on Gmail

We've configured SPF, DKIM and DMARC records for our domain and they're working fine. Our DMARC reports from Gmail, Hotmail, Yahoo also confirm the same.

However, just last week, one of our (Gmail) users brought to our attention a fraudulent email sent from a spoofed email address on our domain.

After looking at the email headers, we realised Gmail didn't initiate a DMARC check at all and the email landed in user's inbox. Gmail had only performed an SPF check which had passed because the check was performed on the envelop FROM header domain.

The email header (with identifying details redacted) looked like the following:

Delivered-To: redacted@gmail.com
Received: by 10.28.167.23 with SMTP id q23csp326872wme;
        Mon, 20 Feb 2017 23:53:04 -0800 (PST)
X-Received: by 10.36.147.1 with SMTP id y1mr22192213itd.34.1487663583976;
        Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Return-Path: <redacted@fraudulentdomain.net>
Received: from server2.fraudulentdomain.net (server2.fraudulentdomain.net. [144.X.Y.Z])
        by mx.google.com with ESMTP id i196si19658513ioi.78.2017.02.20.23.53.03
        for <redacted@gmail.com>;
        Mon, 20 Feb 2017 23:53:03 -0800 (PST)
Received-SPF: pass (google.com: domain of redacted@fraudulentdomain.net designates 144.X.Y.Z as permitted sender) client-ip=144.X.Y.Z;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of redacted@fraudulentdomain.net designates 144.X.Y.Z as permitted sender) smtp.mailfrom=redacted@fraudulentdomain.net
Received: by server2.fraudulentdomain.net (Postfix, from userid 330)
    id 385716C165; Tue, 21 Feb 2017 08:53:03 +0100 (CET)
To: redacted@gmail.com
Subject: Some Subject
From: My Service <spoofed@mydomain.com>,
    "MIME-Version:1.0"@server2.fraudulentdomain.net
Content-type: text/html; charset=iso-8859-1
Message-Id: <20170221075303.385716C165@server2.fraudulentdomain.net>
Date: Tue, 21 Feb 2017 08:53:03 +0100 (CET)

Why did Gmail not initiate a DMARC check and just performed an SPF check? Is it got to do something with the Display FROM header having 2 values?

Upvotes: 1

Views: 321

Answers (1)

Schack
Schack

Reputation: 11

That's a bug, I reported it to Google, they have fixed it now.

Upvotes: 1

Related Questions