Hello there, folks! I recently moved this domain from another server and during that move, added spf, dmarc and dkim records to the domain. It is probably important to note that the domain currently doesn't have any email accounts so it would be impossible for anyone to actually be sending mail through the server by logging into a legitimate mail account tied to the domain. I can see where the known spam IP starting with 69.16 got caught sending mail trying to pass as this domain. Does the part following it mean that they are sending mail trying to pass as <something>@ielc.broncoinfo.com? Further questions: 1) Why is Google the only one that sends dmarc reports? Is it because they scan domains and look for these records or are these generated because mail gets sent to gmail and then this report is generated? 2) Is there anything to be done in regards to a report like this? Do I need to do something with the information that this IP is trying to send mail spoofing as a domain I control? A report to some spam system, host, etc? 3) Do you always add spf, dmarc and dkim records to your domains, regardless of whether or not they are capable of sending mail or do you only bother for those domains with mail accounts?
yes. 1. it's not just google, i get them from amazon SES, aol.com, enterprise.protection.outlook.com and others.. who you get the report from depends on where is being sent to, in this case, the mail was sent to a gmail/google workspace address, so googles servers check the dmarc record and take the appropriate action. 2. you can find which network/isp is ultimately responsible for the sending ip. and send a copy of the dmarc report to them.. (don't expect much action though, especially from places that deliberately allow spamming) i do remember seeing something about having this done automatically.. but i can't remember where. it's mainly to monitor for a while and ensure you don't have any legitimate mail sources failing the spf / dkim tests. prior to setting the dmarc policy to tell isp's to reject such messages. 3. no. not for client domains.. just because they may use your server for email, doesn't mean you know every source of mail for their domain.. if you create spf/dkim/dmarc records/policies for them automatically, you may block a lot of important legitimate mail. if it's your own domains.. or you know, definitively, every allowed source of mail for the domain, then you can create the records/policies. if you know for sure a domain will never send email, including from their website.. you can create the spf/dkim/dmarc records: Code: name type data example.com TXT v=spf1 -all *._domainkey.example.com TXT v=DKIM1; p _dmarc.example.com TXT v=DMARC1;p=reject;sp=reject;adkim=s;aspf= to specify that no legitimate mail is ever sent on this domain. *change example.com to match the required domain name. and it's better to select something appropriate for the dkim selector, rather than just use default._domainkey, so that multiple dkim records can exist without clashing.
