24Oca
DMARC rua indicates mail send from competitorDomain.com for ourDomain.com, is this (potentially) mallicous?
We've received several rua reports indicating that one of our direct competitors is sending emails with our domain in the mail from headers.
I do not have access to the actual emails sources, and I have no idea what would cause this. The one cause I can think of is that somebody at the competitors company is sending out emails on our behalf (a conclusion I hope we can discredit).
Relevant rua report section:
<?xml version="1.0" encoding="UTF-8" ?>
<feedback>
(...)
<record>
<row>
<source_ip>209.85.220.69</source_ip><!-- mail-sor-f69.google.com -->
<count>2</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
</policy_evaluated>
</row>
<identifiers>
<header_from>[our domain].com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>[competitor domain]-com.20150923.gappssmtp.com</domain>
<result>pass</result>
<selector>20150923</selector>
</dkim>
<spf>
<domain>[competitor domain].com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
So, my question is:
What can cause this to happen? Is there normal behaviour that could cause these reports? Is this the result of legitimate email traffic? or is this an indication of malicious behaviour somewhere?
Side note
I'm unsure what the section means.
(...)
<reason>
<type>local_policy</type>
<comment>arc=pass</comment>
</reason>
(...)
