Why are spoofed emails passing DMARC authentication with IPv6?

Summary

Spoofed emails may bypass DMARC authentication, even with IPv6, due to a combination of factors. These include misconfigured SPF records, especially regarding IPv6 addresses; failures in SPF lookups over IPv6 by some resolvers; issues with email forwarding services not properly handling authentication, often lacking header rewriting or Sender Rewriting Scheme (SRS); and alignment failures between SPF/DKIM domains and the From: header. Invalid DKIM signatures due to key rotation or tampering also contribute. The interaction and correct implementation of SPF, DKIM, and DMARC is crucial, and the Authentication-Results header can provide diagnostic information. Properly configured DMARC records and tools like MXToolbox can aid in validation and troubleshooting.

Key findings

  • SPF Configuration Issues: Misconfigured SPF records, especially concerning IPv6 addresses, or IPv6 lookup failures by some resolvers, can lead to DMARC bypass.
  • Forwarding Problems: Email forwarding services that fail to rewrite headers or use SRS break SPF and DKIM, causing DMARC to be bypassed.
  • Alignment Requirements: For DMARC to pass, SPF or DKIM must pass, and their domains must align with the From: header domain. Failures in alignment can cause DMARC to fail.
  • DKIM Signature Validity: Invalid DKIM signatures, due to key rotation issues or tampering, can result in DMARC failures.
  • Authentication-Results Header: The Authentication-Results header can be analyzed to understand the outcome of SPF and DKIM checks, aiding in diagnosing DMARC failures.
  • DMARC Policy Implementation: Incomplete or incorrect DMARC policy implementation can render protections ineffective.

Key considerations

  • Review SPF Records: Carefully configure SPF records, including IPv6 addresses of sending servers, and ensure they are up-to-date.
  • Update Forwarding Practices: Utilize forwarding services that properly handle authentication via header rewriting or SRS.
  • Ensure Domain Alignment: Verify that SPF and DKIM domains are aligned with the From: header domain for effective DMARC authentication.
  • Implement DKIM Properly: Ensure correct DKIM implementation, including key management and signature validity.
  • Utilize Authentication Results: Analyze the Authentication-Results header to understand the outcome of authentication checks.
  • Validate DMARC Configuration: Use tools like MXToolbox to validate the DMARC record and verify its correct configuration.
  • Correct Authentication Method Interplay: Ensure correct interplay of SPF, DKIM and DMARC implementation to stop spoofed emails passing authentication.

What email marketers say
11Marketer opinions

Spoofed emails can pass DMARC authentication despite using IPv6 due to a combination of factors, including misconfigured SPF records (especially with IPv6 addresses), issues with email forwarding services not properly handling authentication, and alignment failures between SPF/DKIM domains and the From: header. Additionally, some resolvers may not handle IPv6 SPF lookups correctly. Examining the Authentication-Results header can help diagnose the specific reason for DMARC's pass or fail status.

Key opinions

  • SPF Misconfiguration: Incorrectly configured SPF records, particularly regarding IPv6 addresses of sending servers, can lead to SPF failures, subsequently affecting DMARC.
  • Forwarding Issues: Email forwarding services that do not rewrite headers or use SRS can break SPF and DKIM, leading to DMARC bypass.
  • Alignment Problems: Even if SPF or DKIM pass individually, DMARC can fail if the domains used for authentication do not align with the domain in the From: header.
  • IPv6 Lookup Failures: Some resolvers might not properly retry SPF lookups over IPv4 if the IPv6 lookup fails, causing SPF to fail.
  • Authentication Results Header: The Authentication-Results header provides valuable insights into the specific SPF and DKIM checks performed, aiding in diagnosing DMARC outcomes.

Key considerations

  • Review SPF Records: Ensure SPF records are correctly configured to include all authorized sending IP addresses, especially IPv6 addresses.
  • Update Forwarding Services: Use forwarding services that properly handle authentication via header rewriting or SRS.
  • Domain Alignment: Verify that SPF and DKIM domains align with the From: header domain for successful DMARC authentication.
  • DMARC Record Validation: Regularly validate the DMARC record to confirm it's correctly configured and reflects the desired policy.
  • Monitor Authentication Results: Analyze Authentication-Results headers to understand why emails pass or fail DMARC and identify areas for improvement.
Marketer view

Email marketer from StackOverflow explains that you can use the Authentication-Results header to see why DMARC passed and view the results of the SPF and DKIM tests performed by the email receiver. This will show you the IPv6 that was checked against.

August 2024 - StackOverflow
Marketer view

Email marketer from Mailhardener Blog explains that SPF has some issues with IPv6. Most resolvers do not retry SPF lookups over IPv4 if the IPv6 lookup fails, potentially leading to SPF failures and impacting DMARC.

December 2022 - Mailhardener Blog
Marketer view

Email marketer from MXToolbox provides that you can use their tool to lookup a DMARC record for a domain and validate it is configured correctly. Ensuring it's configured correctly is the first step to ensure DMARC checks work as intended.

November 2021 - MXToolbox
Marketer view

Email marketer from Valimail Blog shares that DMARC can be bypassed when emails are forwarded if the forwarding service doesn't properly handle authentication. This is often due to the forwarder not rewriting headers or using SRS (Sender Rewriting Scheme).

September 2024 - Valimail Blog
Marketer view

Email marketer from Reddit explains that some older forwarding mail servers will not rewrite the headers and properly sign forwarded messages, breaking SPF and DKIM. This will cause the forwarded messages to not pass DMARC. They suggest you need to update or move from these old forwarding services.

December 2024 - Reddit
Marketer view

Marketer from Email Geeks offers to review headers for Disney mail, mentioning they send some of it.

March 2022 - Email Geeks
Marketer view

Marketer from Email Geeks explains that the SPF reports as passed and aligns with From:, so therefore DMARC passes.

February 2025 - Email Geeks
Marketer view

Marketer from Email Geeks suggests if the mail is passing through and being forwarded by accountprotection.microsoft.com and the headers are being rewritten during that process, that’s a different issue.

September 2021 - Email Geeks
Marketer view

Email marketer from AuthSMTP Knowledge Base mentions that SPF failures can occur with IPv6 if the DNS records for the sending domain are not properly configured to include the IPv6 addresses of the sending mail servers. This can lead to legitimate emails failing SPF checks.

July 2024 - AuthSMTP Knowledge Base
Marketer view

Email marketer from EasyDMARC Knowledge Base explains that common reasons for DMARC failures include SPF failures due to incorrect setup or exceeding the lookup limit, and DKIM failures due to key mismatch or signing issues. If SPF or DKIM fail DMARC will also fail if configured to do so.

March 2023 - EasyDMARC Knowledge Base
Marketer view

Email marketer from SparkPost Blog details that for DMARC to pass, either SPF or DKIM must pass, and the domain used for SPF or DKIM must align with the domain in the From: header of the email. If alignment fails, DMARC can still fail even if SPF or DKIM pass individually.

October 2024 - SparkPost Blog

What the experts say
3Expert opinions

Spoofed emails sometimes pass DMARC authentication due to a multitude of authentication and configuration failures. SPF records are often misconfigured, with missing IP addresses (particularly IPv6 addresses) of sending servers, or general DNS misconfigurations. DKIM signatures can be invalidated by key rotation issues or tampering, and forwarding practices can also circumvent DMARC. Correct implementation and interplay of SPF, DKIM, and DMARC are crucial to prevent spoofed emails from being authenticated.

Key opinions

  • SPF Failures: SPF records may be missing necessary IP addresses (including IPv6) or contain other DNS configuration errors, leading to authentication failure.
  • DKIM Invalidity: DKIM signatures can become invalid due to key rotation problems or alterations during email transit.
  • Forwarding Issues: Improper email forwarding practices can lead to DMARC failure.
  • Interplay of Authentication Methods: The combined effectiveness of SPF, DKIM, and DMARC relies on their proper implementation and interaction.

Key considerations

  • Audit SPF Records: Regularly review and update SPF records to ensure they accurately list all authorized sending IP addresses, paying attention to IPv6 configurations.
  • Manage DKIM Keys: Implement a secure DKIM key management process to prevent key rotation problems and ensure signature validity.
  • Review Forwarding Practices: Examine and update email forwarding practices to maintain DMARC compliance.
  • Implement Authentication Protocols Correctly: Ensure correct implementation and proper interplay of SPF, DKIM, and DMARC for effective email authentication.
Expert view

Expert from Spam Resource explains that DMARC failures can occur when SPF fails due to misconfigured DNS records, or when DKIM signatures are invalid due to key rotation issues or tampering during transit. Forwarding is also a common cause.

July 2021 - Spam Resource
Expert view

Expert from Word to the Wise explains that SPF failures happen if the IP address of the server sending the mail isn't listed in the SPF record, or if the SPF record is misconfigured. With IPv6, this could be because the IPv6 address isn't included or the DNS lookup fails.

November 2022 - Word to the Wise
Expert view

Expert from Word to the Wise discusses the different authentication methods of SPF, DKIM and DMARC and their interplay, it is crucial to ensure correct implementation to stop spoofed emails passing authentication.

October 2023 - Word to the Wise

What the documentation says
4Technical articles

DMARC leverages SPF and DKIM to authenticate email senders. SPF verifies the sender's authorization, while DKIM ensures email integrity and sender verification. If SPF fails to authenticate the sender, DMARC relies on its policy ('p=' tag) to instruct receivers on handling the email (quarantine, reject, or none). For DKIM, the signature must be valid and aligned with the domain in the From: header for DMARC to pass. Spoofing involves disguising the email's origin for malicious purposes like phishing. DMARC policies guide mail receivers on managing emails that fail these authentication checks.

Key findings

  • SPF Authentication: DMARC uses SPF to authenticate if the sender is authorized to send emails on behalf of the domain.
  • DKIM Verification: DMARC uses DKIM to verify the integrity of the email and ensure it was sent by the claimed sender, requiring a valid signature and domain alignment.
  • DMARC Policies: DMARC policies (specified by the 'p=' tag) dictate how email receivers should handle emails that fail authentication checks.
  • Spoofing Definition: Spoofing is when an email is disguised to appear as if it originates from a different source, often used for phishing and spam.

Key considerations

  • Proper SPF Setup: Ensure SPF records are correctly configured to accurately represent authorized sending sources.
  • Maintain Valid DKIM Signatures: Regularly check and maintain DKIM signatures to ensure they are valid and properly aligned with the From: header domain.
  • Implement DMARC Policy: Set a DMARC policy (quarantine or reject) to instruct receivers on how to handle unauthenticated emails effectively.
  • Educate on Spoofing: Educate users about spoofing techniques to help them identify and avoid phishing attacks.
Technical article

Documentation from DMARC.org specifies that DMARC policies are designed to instruct mail receivers on how to handle emails that fail authentication checks. Receivers should follow the specified policy (none, quarantine, or reject) based on the DMARC record published by the sending domain.

June 2024 - DMARC.org
Technical article

Documentation from RFC Editor explains how DMARC uses DKIM to verify the integrity of the email content and sender. The DKIM signature must be valid and align with the domain in the From: header for DMARC to pass based on DKIM.

January 2022 - RFC Editor
Technical article

Documentation from Microsoft Documentation states that Spoofing is when an email message appears to be from someone or somewhere other than the actual source. Spoofing is often used in phishing attacks and spam campaigns.

August 2021 - Microsoft Documentation
Technical article

Documentation from RFC Editor details how DMARC uses SPF to verify the sender's authorization. It explains that if SPF fails to authenticate the sender's domain, the DMARC policy is applied based on the 'p=' tag in the DMARC record (e.g., quarantine, reject).

May 2022 - RFC Editor