Why are spoofed emails passing DMARC authentication with IPv6?
Summary
What email marketers say11Marketer opinions
Email marketer from StackOverflow explains that you can use the Authentication-Results header to see why DMARC passed and view the results of the SPF and DKIM tests performed by the email receiver. This will show you the IPv6 that was checked against.
Email marketer from Mailhardener Blog explains that SPF has some issues with IPv6. Most resolvers do not retry SPF lookups over IPv4 if the IPv6 lookup fails, potentially leading to SPF failures and impacting DMARC.
Email marketer from MXToolbox provides that you can use their tool to lookup a DMARC record for a domain and validate it is configured correctly. Ensuring it's configured correctly is the first step to ensure DMARC checks work as intended.
Email marketer from Valimail Blog shares that DMARC can be bypassed when emails are forwarded if the forwarding service doesn't properly handle authentication. This is often due to the forwarder not rewriting headers or using SRS (Sender Rewriting Scheme).
Email marketer from Reddit explains that some older forwarding mail servers will not rewrite the headers and properly sign forwarded messages, breaking SPF and DKIM. This will cause the forwarded messages to not pass DMARC. They suggest you need to update or move from these old forwarding services.
Marketer from Email Geeks offers to review headers for Disney mail, mentioning they send some of it.
Marketer from Email Geeks explains that the SPF reports as passed and aligns with From:, so therefore DMARC passes.
Marketer from Email Geeks suggests if the mail is passing through and being forwarded by accountprotection.microsoft.com and the headers are being rewritten during that process, that’s a different issue.
Email marketer from AuthSMTP Knowledge Base mentions that SPF failures can occur with IPv6 if the DNS records for the sending domain are not properly configured to include the IPv6 addresses of the sending mail servers. This can lead to legitimate emails failing SPF checks.
Email marketer from EasyDMARC Knowledge Base explains that common reasons for DMARC failures include SPF failures due to incorrect setup or exceeding the lookup limit, and DKIM failures due to key mismatch or signing issues. If SPF or DKIM fail DMARC will also fail if configured to do so.
Email marketer from SparkPost Blog details that for DMARC to pass, either SPF or DKIM must pass, and the domain used for SPF or DKIM must align with the domain in the From: header of the email. If alignment fails, DMARC can still fail even if SPF or DKIM pass individually.
What the experts say3Expert opinions
Expert from Spam Resource explains that DMARC failures can occur when SPF fails due to misconfigured DNS records, or when DKIM signatures are invalid due to key rotation issues or tampering during transit. Forwarding is also a common cause.
Expert from Word to the Wise explains that SPF failures happen if the IP address of the server sending the mail isn't listed in the SPF record, or if the SPF record is misconfigured. With IPv6, this could be because the IPv6 address isn't included or the DNS lookup fails.
Expert from Word to the Wise discusses the different authentication methods of SPF, DKIM and DMARC and their interplay, it is crucial to ensure correct implementation to stop spoofed emails passing authentication.
What the documentation says4Technical articles
Documentation from DMARC.org specifies that DMARC policies are designed to instruct mail receivers on how to handle emails that fail authentication checks. Receivers should follow the specified policy (none, quarantine, or reject) based on the DMARC record published by the sending domain.
Documentation from RFC Editor explains how DMARC uses DKIM to verify the integrity of the email content and sender. The DKIM signature must be valid and align with the domain in the From: header for DMARC to pass based on DKIM.
Documentation from Microsoft Documentation states that Spoofing is when an email message appears to be from someone or somewhere other than the actual source. Spoofing is often used in phishing attacks and spam campaigns.
Documentation from RFC Editor details how DMARC uses SPF to verify the sender's authorization. It explains that if SPF fails to authenticate the sender's domain, the DMARC policy is applied based on the 'p=' tag in the DMARC record (e.g., quarantine, reject).