• caglararli@hotmail.com
  • 05386281520

Still able to spoof emails with strict DMARC, SPF and DKIM enabled

Çağlar Arlı      -    43 Views

Still able to spoof emails with strict DMARC, SPF and DKIM enabled

Despite setting up strict DMARC, SPF, and having DKIM enabled, I am still easily able to spoof the "From" address. I can easily do this with PHPMailer on my Mac and even with some free 3rd party tools like

How is it still possible to spoof my emails?

See example of an email landing in our inbox with a forged "From" address. The email appears to be coming from "support@mydomain.com" and has landed in the inbox (not spam folder) of "support@mydomain.com":

enter image description here

Original email details:

Delivered-To: mydomain.info@gmail.com
Received: by 2002:a05:6358:1401:b0:123:19d7:631b with SMTP id m1csp7247732rwi;
        Mon, 26 Jun 2023 04:21:06 -0700 (PDT)
X-Received: by 2002:a5e:8d04:0:b0:783:5fd9:3789 with SMTP id m4-20020a5e8d04000000b007835fd93789mr1605706ioj.1.1687778466017;
        Mon, 26 Jun 2023 04:21:06 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1687778466; cv=pass;
        d=google.com; s=arc-20160816;
        b=dkKEQKNBeuOeShGW/Gzg2H8RxokMu3Oj9prik0GiTeuREoMuIG1Hi3DroWS7MtT3M5
         5NXZiebrwox3aVwaa8Wol4XwgrtGzjkXLuIguwIL5zOQsJmW/NOMeVVUwPD6DZqzgdoU
         3ey7G6hfdPSa7S16zezQqr5FSIq8V4Y2n7/XRHHzvzRMF/rSQE3gmk8PXz7NaBxYcneL
         AW41PEFv6f5jflmqShCo7rhj6zX3n3vc7827cRUWeHB9clMLmTbCR5x2K1aEWuoBWvkG
         2ykJD35pwDoPJbJ8LOfwq3gXIAXCqsVH54/tY4+Ey4sauc+ddKfnHNf4fVdvR90VOqke
         dOnQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:date:to:from:mime-version
         :message-id;
        bh=q12lAW4zen/O2oFMIIsId6/crvAvWVGZdSDT+YZFFrg=;
        fh=YVtwwdP2abWeUtV0ZJb090cqLD57D94m70R4Wxm11Qk=;
        b=Yeb2Xm6ZqrVSru4VWQROJgLQfmxPc3fUxWAj9UdfeZ1Fjet9K+57U1LRxIOA865MIm
         Wz/iqSxfc6joRBp/zMnpdlwoWu7aCqyg7k0na8gBxTekTn/+zVhZMRt1C8xcSwlXtRXK
         T988UrKhCsraavSVYLSz9+xRaRQaPkTF9BCbk4wY3zW5TxRou9WY4cgjldDqYQNEE2W7
         drTAISjQqI1tFWlczSNuBfMQF8iFkiS8rFiGFgWKKQXYp2JsIQIduqehLWSFVfk1w6kc
         237rNZe5si9vWIn4I9rJL6h0CwLHtSEEiu7BHNvuatrC69pxuKJ4bErGuA+ZkYRvQfHJ
         MhIA==
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of support@mydomain.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=support@mydomain.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mydomain.com
Return-Path: <support@mydomain.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id y13-20020a02a38d000000b0041654f00a16sor1382978jak.3.2023.06.26.04.21.05
        for <mydomain.info@gmail.com>
        (Google Transport Security);
        Mon, 26 Jun 2023 04:21:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of support@mydomain.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
       arc=pass (i=1);
       spf=pass (google.com: domain of support@mydomain.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=support@mydomain.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mydomain.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1687778465; x=1690370465;
        h=x-forwarded-for:content-transfer-encoding:subject:date:to:from
         :mime-version:message-id:x-gm-message-state
         :x-original-authentication-results:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q12lAW4zen/O2oFMIIsId6/crvAvWVGZdSDT+YZFFrg=;
        b=czotmx/eULBOo4ZOluBAv/UqasS+2kegRB4YSDmVsl4kQbXcBjLrH5eqPCXGtuEg0l
         PijpmUyecN+k2hpLR9ErbxW/jQS3JsAnqSuUP/0kK3OSjwcn8mf0SIXdbqxIpA1vFNoA
         NdbLOB8QIRchiV1Ilr8DlV5Jr2yDn8mB/29MTV7qaJWtXq7QykZ6vlrHNnY4BB0QV5uU
         n5kL1AOuETXfjl7M3Qd7LO64U8LjwBb8lRu3sgsq3qtF9deIhvWDqs+9HHdSjrZkZYTH
         /+jq65z0pBy0w/Ul9Q8ACcAmozEA8g0c9ewQaBCKWV66zSKVOkL8eYtEkTo4gwjrWBSv
         wUAQ==
X-Original-Authentication-Results: gmr-mx.google.com;
       spf=fail (google.com: domain of support@mydomain.com does not designate 72.167.234.240 as permitted sender) smtp.mailfrom=support@mydomain.com;
       dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=mydomain.com
X-Gm-Message-State: AC+VfDx7CQliWuXyOvzkIZJEuhxw79r0Jd+cF9dUGSQPkxfYeS7OnCWI ljestKVqfF22M4oHMOfrGr3cKDe4cDvG0h2mWg==
X-Google-Smtp-Source: ACHHUZ6qCQvW28V/c5D/CMqMvSoYOCV6EYDLZtclFAGTb90QywtA3+z0kdTcAwf0X5mDBCvN9SQwWsITJ3HiBlpH4+FRrPugUEA=
X-Received: by 2002:a92:c050:0:b0:342:299c:a2c0 with SMTP id o16-20020a92c050000000b00342299ca2c0mr12645779ilf.26.1687778465918;
        Mon, 26 Jun 2023 04:21:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1687778465; cv=none;
        d=google.com; s=arc-20160816;
        b=Vj56lMq4MFwkMHzPX59fC7PCjGQEM/S4PKIJT3ftzEhuPnLxNU8b9dqnogUzkqT1tu
         6cGHb0aEtuKkLc2eBVU8be04xsOsbL/XLDsH4A/hlIP0KayfACSBNTpaSR/5wKIpAJUx
         GtiI+ATbOTrL+rwcFMNnSZFkupzXohxEbbB+7dk43m7j+tmDReTM6nFbKrF9mdvA95AA
         RpqLXo7c8fA6yrCeJgEDI3zJbCErHdY71dc8t5K9q7Zqyanjy6mW6DsIfsasrtmvedtD
         Mw2DUSW4T+c4yZVsNwK/t7NzQG8M/faQ9TEefjOwQwRBXg2YXJMSRwnDe58BdwThJZek
         eOGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:date:to:from:mime-version
         :message-id;
        bh=q12lAW4zen/O2oFMIIsId6/crvAvWVGZdSDT+YZFFrg=;
        fh=YVtwwdP2abWeUtV0ZJb090cqLD57D94m70R4Wxm11Qk=;
        b=eQ1svpo9BY/PYqSuJbR4EF52unOCbsSyscqwstEj+bCAPo5BIsdkXDo/HHQuAo7q/B
         9yXZOLbvx/5rFPP6D3gMU4zXEG1o53Rq4o4nljV/KBFLDC2JrdO5398PFutfmKn/kZuQ
         TAbmZSHrYD5zXkCz09S3ABacDiA/tKVbzzbbDTFhRZiH1deVICYkaakeN4pOmYUroBm/
         W5fJCLTnxStkG8nSjNGBCpqXlb4LJCSipflCAouEMXtSiHOjhEw8xsMw+j9VD4u8KccX
         ROiRP/KggRM6vE8vKvNcvXqXJxh4MqNIG4xx2mjIVsE8/gpno5dchh79EkEUBgBKCz6K
         Jvhw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=fail (google.com: domain of support@mydomain.com does not designate 72.167.234.240 as permitted sender) smtp.mailfrom=support@mydomain.com;
       dmarc=fail (p=REJECT sp=REJECT dis=REJECT) header.from=mydomain.com
Return-Path: <support@mydomain.com>
Received: from p3nlsmtp15.shr.prod.phx3.secureserver.net (p3nlsmtp15.shr.prod.phx3.secureserver.net. [72.167.234.240])
        by gmr-mx.google.com with ESMTPS id h3-20020a056e020d4300b0034201149242si424402ilj.4.2023.06.26.04.21.05
        for <mydomain.info@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 26 Jun 2023 04:21:05 -0700 (PDT)
Received-SPF: fail (google.com: domain of support@mydomain.com does not designate 72.167.234.240 as permitted sender) client-ip=72.167.234.240;
Message-ID: <649974a1.050a0220.6e822.685eSMTPIN_ADDED_MISSING@gmr-mx.google.com>
Received: from P3NWVPWEB097 ([10.199.64.96]) by : HOSTING RELAY : with ESMTP id DkGKqn1rhoo1kDkGKq52Bi; Mon, 26 Jun 2023 04:20:04 -0700
X-CMAE-Analysis: v=2.4 cv=fu8aJn0f c=1 sm=1 tr=0 ts=64997464 a=2X41b4ieGfoJAKBLAMfEgQ==:117 a=lTqcXGTxAAAA:8 a=HpEJnUlJZJkA:10 a=kj9zAlcOel0A:10 a=ZxtOdjLW3A3A8yzWLrAA:9 a=CjuIK1q_8ugA:10 a=6J2MXjRvllIA:10 a=zgiPjhLxNE0A:10 a=ZXulRonScM0A:10 a=gUYKelx0uCsFxn6vNamb:22
X-SECURESERVER-ACCT: UNKNOWN
MIME-Version: 1.0
From: support@mydomain.com
To: support@mydomain.com
Date: 26 Jun 2023 04:20:04 -0700
Subject: E9 Testing internal authentication for mydomain.com ID: 6052 -Critical severity
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-CMAE-Envelope: MS4xfCZVzH/weiIzVeAds755w5diehtJcUe7yU6spwAgQcxc7SyCnRujRCbElKHXBwQAQWZ3z41rpmtRoP0J6CMz/WXS3bbSBaRPS8krMoDpJ3oWv0p3YM/k Fgh2jl7We5xILVeCSbvkTER+rNk3UL2RT7gSOiPUhnXqpebdpIR+2OJ7V1bzmStnedEdq7f8K906kg==
X-Forwarded-For: support@mydomain.com mydomain.info@gmail.com

YOU SHOULD NEVER RECEIVE THIS EMAIL!

This email system failed to reject this fraudulent email.=20

This security issue is used often to compromise users, steal data, and mani=
pulate internal affairs.

To correct; Correct; complete a spoof report card, reference Email E9. For =
help with correcting these email security issues please email: humans@ignit=
ecyber.co


Sender Source IP: 1.2.3.4

These are the exact DNS records which have been live for 48+ hours.

;; CNAME Records
9515566.mydomain.com.   1   IN  CNAME   sendgrid.net.
emailauth.mydomain.com. 1   IN  CNAME   u9515566.wl067.sendgrid.net.
emailurl.mydomain.com.  1   IN  CNAME   sendgrid.net.
s1._domainkey.mydomain.com. 1   IN  CNAME   s1.domainkey.u9515566.wl067.sendgrid.net.
s2._domainkey.mydomain.com. 1   IN  CNAME   s2.domainkey.u9515566.wl067.sendgrid.net.

;; TXT Records
_dmarc.mydomain.com.    1   IN  TXT "v=DMARC1; p=reject; rua=mailto:redacted@dmarc-reports.cloudflare.net,mailto:dmarc@mydomain.com; ruf=mailto:dmarc@mydomain.com; pct=100; adkim=r; aspf=r; ri=86400; fo=0; rf=afrf;"
mydomain.com.   1   IN  TXT "v=spf1 include:_spf.google.com include:sendgrid.net include:_spf.mx.cloudflare.net -all"

As shown, the DMARC and SPF are set to be about as strict as they can be with DMARC set to reject and SPF set to -all.

A tool like https://www.smartfense.com/en-us/tools/spoofcheck can successfully read the DNS records and it tells me "Not spoofable domain". See below:

enter image description here

Additonal information

  • mydomain.com is from the Google Domains registrar
  • I use the Google Domains email feature to forward incoming emails to a personal gmail account (mydomain.info@gmail.com)
  • I pointed the nameservers to Cloudflare to take advantage of their powerful features
  • I use the "Send mail as" Gmail feaure to send emails through Sendgrid by using their SMTP server smtp.sendgrid.net on port 456 over SSL so I can send emails from "support@mydomain.com".