What steps should be taken when DKIM/SPF fails due to spoofing attempts?
Summary
What email marketers say8Marketer opinions
Email marketer from EasyDMARC shares that implement DMARC with a policy of 'quarantine' or 'reject' to instruct receiving mail servers on how to handle emails that fail SPF and DKIM checks. This helps prevent spoofed emails from reaching the inbox.
Email marketer from URIports explains to continuously monitor DMARC reports to identify and respond to spoofing attempts. These reports provide valuable information about the source of failing emails and allow you to adjust your SPF and DKIM settings accordingly.
Email marketer from Email Hippo explains the difference between a Soft Fail (~all) and a Hard Fail (-all). The Hard Fail will tell receiving servers to reject messages that do not match your SPF record. Soft fail is a more lenient setting to allow for mail to still make it through, but is not recommended.
Marketer from Email Geeks shares options for debugging DMARC failures: (1) Email Gateways like Mimecast/Proofpoint may cause SPF & DKIM failures for automated emails. (2) Lacking DKIM with only SPF alignment can cause issues with Office365 and Google Calendar rewriting MailFrom. (3) DNS glitches or ESP infrastructure issues can cause hard-to-identify problems.
Email marketer from MXToolbox shares to avoid common SPF record errors such as exceeding the 10 DNS lookup limit, using multiple SPF records, and incorrect syntax. Use a tool such as MXToolbox to validate your DNS records.
Email marketer from Stackoverflow states SPF failures can happen because of multiple SPF records. Make sure you only have one SPF record defined. This is a common reason for SPF failures.
Email marketer from Mailhardener explains that when DKIM/SPF fails, first investigate the source of the failure using DMARC reports. Check if it's a legitimate sending source that needs to be authenticated, or if it's a spoofing attempt. If it's spoofing, ensure your DMARC policy is set to 'reject' or 'quarantine' to minimize impact.
Email marketer from Reddit shares to review your SPF records and ensure they're correctly configured. Often, issues arise from exceeding the DNS lookup limit or incorrect syntax. Use online SPF record testing tools to validate your configuration.
What the experts say4Expert opinions
Expert from Email Geeks explains to make sure the spoofing is legitimate and not a rogue application needing authentication. If legitimate, fix authentication; otherwise, let it fail.
Expert from Word to the Wise shares that when spoofing attempts are detected via SPF/DKIM failures, enforcing a DMARC policy of 'quarantine' or 'reject' is crucial. This instructs receiving mail servers to handle unauthenticated emails, mitigating the impact of spoofing.
Expert from Spamresource explains that to address SPF and DKIM failures, you need to start by analyzing the failure reports. These reports can help pinpoint the source of the failure, whether it's a legitimate sender with misconfigured authentication or a malicious actor attempting to spoof your domain.
Expert from Email Geeks responds that random DNS glitches can cause occasional email failures; achieving 99.99% reliability is often considered excellent.
What the documentation says5Technical articles
Documentation from RFC Editor explains that SPF record syntax should follow RFC 7208 and include mechanisms like 'a', 'mx', 'ip4', 'ip6', 'include', and 'all' to define authorized sending sources. Understanding the syntax is key to configuring SPF correctly.
Documentation from Microsoft Learn explains that to troubleshoot SPF failures, check the SPF record syntax and ensure it's correctly published in DNS. Confirm the sending server is listed in the SPF record using 'include:' or 'ip4:'/'ip6:' mechanisms. Also, be aware of SPF record lookup limits (10 DNS lookups) which can cause SPF to fail.
Documentation from DMARC.org explains that analyzing DMARC failure reports (both aggregate and forensic) can reveal spoofing attempts and SPF/DKIM alignment issues. These reports provide insights into the source of unauthorized email and help identify domains that are being spoofed.
Documentation from AuthSMTP explains that to fix SPF Hard Fail errors, update your DNS SPF record to ensure it includes all legitimate sending sources. The common syntax to use would be ip4: and ip6:
Documentation from Google Workspace Admin Help explains that if SPF fails, review the email headers to identify the source IP address and the domain used for SPF authentication. Verify that the sending server is authorized to send emails on behalf of your domain and ensure your SPF record includes the sending server's IP address or domain.