email - 即使在域上设置了 SPF 和 DKIM,钓鱼邮件如何通过?
问题描述
我试图了解 SPF 和 DKIM 如何工作(并且失败)。
我有一个域majlovesreg.one,它使用 Mailgun 并包含这些 TXT DNS 记录,v=spf1 include:mailgun.org -all并且v=DKIM1; k=rsa; p=**pubkey**. Mailgun 然后将电子邮件路由到我的 Gmail 帐户。
有一天,我在 Gmail 中收到了一封据称来自 的网络钓鱼电子邮件py@hms.harvard.edu,我惊讶地发现它是通过该majlovesreg.one域发送的。检查原始邮件显示该电子邮件来自WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix)。然而,谷歌ARC-Authentication-Results显示该电子邮件通过了 SPF 和 DKIM 检查。
问题:这封电子邮件如何通过 SPF?它怎么可能也通过 DKIM?
供参考,以下是原始电子邮件:
Delivered-To: #####@gmail.com
Received: by 2002:a2e:6550:0:0:0:0:0 with SMTP id z77csp1970412ljb;
Sat, 14 Sep 2019 06:12:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyy+BjN8TgEiJWD+O7IKWD/n0532Fxhp+f+75ffu4u0JU1esXRPEme/DcG7RaYnlDiaMUW8
X-Received: by 2002:a9d:3f26:: with SMTP id m35mr46049370otc.66.1568466733949;
Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568466733; cv=none;
d=google.com; s=arc-20160816;
b=KDIT95EakaPqwYj0OF6116ReXWrEwoqTDfWySmCU35uwaP1F09vv/zAsThE/ziMF9h
iXFoXiNdBH2kGE1iGufqDyK/zm7AUsDRTLdFi5lRG3r326P2HylYdU7K6tnzwIOv/v+E
meyuyWNVShq3nTKZEyiDBJg2pnoMrSOrNTghmnD2txnvvEmyLqiAE1MwHWI1AmedBTQ8
xR0XS2DSsEr066m+5Iu2Yb3bjJIQNu1/8tcL6g+dy9XgQXagj3gdmKQoZKfOgK4K8b/g
PUynWvl0on1vauSG72JfucvljjgdWuVSHAKDAepVm4EpdCEcdV41mv74Q/FQfrB1KAyh
ZfwQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:subject:date:reply-to:to:from
:mime-version:message-id:dkim-signature;
bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=;
b=aLF5hABuvBtaw58MtyXDMyjkhZiCSlp/1Hn5Cv9pHDLTvFTlwVRSCBy1B3sjQEzdiy
LYRXcb5Ne/aii7bBxFSnkZRv5wt+csct6lGJ1BjEXL2rU3ZXF1CZQDMhS+Lge2jle8pO
6n2eZ/9bQlWnzIgO95NG/mD0+eMJt2j43eC8JRcMYIYB480xEOENTb5Tv8isqvOnV7P6
3cI3rctDup6kDv1jYXNkNuwSdk4f3BDfbMt5YQoJIeT3gdSI3jcC/0VCGzRb7yQ66uLL
gfjKKpUuLnwB9CvoOdRMr7uJViLmO9rBoKn7MuRzz2wo/e5L5I7pieJrslsSQYGO7EYG
Df2A==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
Return-Path: <bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one>
Received: from m42-1.mailgun.net (m42-1.mailgun.net. [69.72.42.1])
by mx.google.com with UTF8SMTPS id h16si3134596oie.262.2019.09.14.06.12.12
for <#####@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sat, 14 Sep 2019 06:12:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) client-ip=69.72.42.1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@majlovesreg.one header.s=k1 header.b=IcrRZKl9;
spf=pass (google.com: domain of bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one designates 69.72.42.1 as permitted sender) smtp.mailfrom="bounce+120cd3.e8b324-#####=gmail.com@majlovesreg.one"
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=majlovesreg.one; q=dns/txt; s=k1; t=1568466733; h=Content-Transfer-Encoding: Content-Type: Subject: Date: Reply-To: To: From: MIME-Version: Message-Id; bh=BsvrE3YWQDLvlA2k8W+wWmeOBtVwF3r0DTyYJGWVUkc=; b=IcrRZKl90xBY0yfOeKwqDhszwGRipiYn+KphrsykgMkctgkr2oRQ++eHjHm49YdfeHDoq0vu 7NV0/kpVaYewb0NWBAxDu8cTC2lU1g/+HOA0d/uA+R4p4BBc24TazKfhU3p+BrtOBD6PfqIl qtjepy/cO+127GcSAg6uWxVXKUA=
X-Mailgun-Sending-Ip: 69.72.42.1
X-Mailgun-Incoming: Yes
Message-Id: <20190914131206.1.5A38D163B017E082@hms.harvard.edu>
X-Envelope-From: <py@hms.harvard.edu>
Received: from newsgw-02.dd24.net (newsgw-02.dd24.net [193.46.215.84]) by mxa.mailgun.org with ESMTP id 5d7ce726.7f54a6062110-smtp-in-n01; Sat, 14 Sep 2019 13:12:06 -0000 (UTC)
Received: from WIN-ESHJO5UV0E0 (unknown [188.209.52.55]) by newsgw.dd24.net (Postfix) with ESMTPA id 1C9095FE52 for <#####@majlovesreg.one>; Sat, 14 Sep 2019 13:11:49 +0000 (UTC)
MIME-Version: 1.0
From: Monika Majewska <py@hms.harvard.edu>
To: #####@majlovesreg.one
Reply-To: manager@azibulon-group.com
Date: 14 Sep 2019 06:12:04 -0700
Subject: New Order Inquiry
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
<P>Hello,</P>
<P>We have sent several emails to you, but no response</P>
<P>Please let me know if #####@majlovesreg.one is the correct email to place =
an order</P>
<P>I'm sorry for any inconvenience, if it's not your sales email, let me kn=
ow and i won't send any more email.</P>
<P>Hope to get your response this time.</P>
<P><SPAN style=3D'FONT-SIZE: 13px; FONT-FAMILY: "Helvetica Neue", "Segoe UI=
", Helvetica, Arial, "Lucida Grande", sans-serif; WHITE-SPACE: normal; WORD=
-SPACING: 0px; TEXT-TRANSFORM: none; FLOAT: none; FONT-WEIGHT: 700; COLOR: =
rgb(29,34,40); FONT-STYLE: normal; TEXT-ALIGN: left; ORPHANS: 2; WIDOWS: 2;=
DISPLAY: inline !important; LETTER-SPACING: normal; BACKGROUND-COLOR: rgb(=
255,255,255); TEXT-INDENT: 0px; font-variant-ligatures: normal; font-varian=
t-caps: normal; -webkit-text-stroke-width: 0px; text-decoration-style: init=
ial; text-decoration-color: initial'>Monika Majewska</SPAN></P>
<P>Sales Manager | Europe Region<BR>Azibulon Group<BR>Tel.: +49 901-9=
29-3401 - Ext.3<BR>Fax.: +49 901-929-3402</P>
解决方案
奇怪的。也许发件人也在使用 mailgun,虽然 mailgun 作为发件人对您来说是合法的,但您允许他们通过 SPF 为您发送邮件以及他们为您进行 DKIM 签名的事实表明 mailgun 可能不会将这些权限与mailgun的其他用户。我建议询问 mailgun 支持。我还建议将您的 SPF 默认机制更改为~all并设置 DMARC 记录,p=reject以便您也可以强制 From 标头匹配 - 这可以防止这种情况。
推荐阅读
- c# - 如何从foreach传递多个复选框参数
- apache-kafka - Jhipster 和 Kafka 2.x 得到很好的支持?
- python - DNNClassifier 与 EarlyStopping 的损失
- android - 另一个文本周围的 Nativescript 文本
- r - 如何从数组计算最大值?
- javascript - rss2json 不会获得我在 feed.xml 文件中放入的最新提要更新
- cassandra - 压缩 - TimeWindowCompactionStrategy Cassandra 3
- scala - 如何更改 StructType 的 StructField 中列的数据类型?
- javascript - 不明白我的“不必要的转义字符”错误来自哪里
- angular - 给定日期一年中的周数