这封电子邮件如何通过 DMARC？

今天我们收到了一封欺骗性的电子邮件：它是“从我们这里”发送给我们的。（假设我们拥有foo.com- 真实域已编辑。）

这令人不安，因为它显示为“来自 foo.com”，但发件人绝对不是来自“foo.com”。

邮箱“[email protected]”是一个 Google 群组，设置为允许任何人“发布帖子”（即互联网上的人可以像普通邮箱一样向其发送消息），但只有“foo.com”的成员可以查看那些“帖子”（即收到的电子邮件）。

我们配置了 DMARC (p=reject)、DKIM 和 SPF。

我们的 DNS：

TXT foo.com                   "v=spf1 include:_spf.google.com include:helpscoutemail.com ~all"

TXT _dmarc.foo.com            "v=DMARC1; p=reject; rua=mailto:[email protected];ruf=mailto:[email protected]; pct=100; aspf=r; adkim=r;"

TXT google._domainkey.foo.com "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B..."

消息的标题：

Delivered-To: [email protected]
Received: by 2002:ad4:552d:0:0:0:0:0 with SMTP id ba13csp6199730qvb;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-Received: by 2002:a05:6102:a46:: with SMTP id i6mr23802281vss.19.1639329284522;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1639329284; cv=pass;
        d=google.com; s=arc-20160816;
        b=WReYbvjEI4p+IYx6Y3fT/N5jiaEEA60C4t/3utW/afsQbsrWaMMeWv51lxVOb/HvIx
         oLaSaK6Hskbjeo9rUnYYIlZEnT9ME4Gf/1tfyVXC+YTRBsBEWHCKr064RzBS9X8LUr2C
         Mo++Fm16blzUIgR8wZoq54WwY7ZK6POjEOXWqUqvKsJOk6GyrAgxza2DrKJsOYCFBu2G
         wzH+gfyx7HwCSNzcd+u18ByLyzXLs1vPW7/T5ztP5v+02QHLTG2snvrrW8TwWpGtDLt3
         zU8oGksIcHluHiQwYS056Prsa7/4rHng9D9QNIP6AjlamZejEAlAZjlbajLt4xM17Ozn
         Xt8A==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-archive:list-help:list-post:list-id
         :mailing-list:precedence:reply-to:to:message-id:subject:date
         :mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=qHESIMBiX+DsyurBJ3jkT1tBYiQGFfvjr57xoDFsgoF/KhZNtVfb1JjwT/klZN/Phu
         NoXTTYULEP9j64ynhf6ug1ACwgUqoFieD3fsMpBhO6PrnwjxxU/E8c8TH2eJNR5/SiQm
         9k9/PCH1Vr48EjXGwfBCDV18bkwCyZnYfBGHoskl3EM0WeTIoA3x8s8EGUc4+TSRXUhq
         +tA+2fbTJlofwk5z0Oga5fICZVcPeKPTWSltaXuuUOgpViq9JWbVkWx7+HonhJxzzMw0
         o7LcUhOXfQHutnKRs/Xpaa73AwDgT30QtEn0T1JBnl2Vl9RjH9+nhdWxHjQ0QLdEDPB3
         Xkdw==
ARC-Authentication-Results: i=3; mx.google.com;
       dkim=pass [email protected] header.s=20210112 header.b=pcMriXR7;
       arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
       spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
Return-Path: <[email protected]>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])
        by mx.google.com with SMTPS id v33sor3392168uad.28.2021.12.12.09.14.44
        for <[email protected]>
        (Google Transport Security);
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=20210112 header.b=pcMriXR7;
       arc=pass (i=2 spf=pass spfdomain=icloud.com dkim=pass dkdomain=icloud.com dmarc=pass fromdomain=icloud.com);
       spf=pass (google.com: domain of [email protected] designates 209.85.220.69 as permitted sender) [email protected];
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=foo.com
ARC-Seal: i=2; a=rsa-sha256; t=1639329284; cv=pass;
        d=google.com; s=arc-20160816;
        b=A2s3aYE1vCQIscDH9RsEl6k0DGqxlZiSGi1iQgz57BP+AWIVt5X9b7nyraOJ8F6DPL
         tga5EsK1KrNHLURbQTBSO+pyg862afsmkhS/VFD3sBxSj6hhnc4oCpVJ3rPUWVxSE5IB
         z4NH0ujDotd4dBNBReOsLfetWC0BeyV6nvHfENuJM+PcpR2vO42O3zWARnvq0wtqZYPd
         eBbEJcfX5V6dGi7K9a5I4s+Hrz4V5VNQO8772L+lDQyRdthazJiKgKmB+jX+rztxflIM
         r9efmFXPwO8t3LVtqOzPFfQJqQiMJ9en62O4ZUwbdKxdLzx8Iw9BLVVm0SkDFpXIQTod
         lU2Q==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-archive:list-help:list-post:list-id
         :mailing-list:precedence:reply-to:to:message-id:subject:date
         :mime-version:from:content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=fXMcTPuKuu1Ahb/4kHcUPsbwEnwqaLpheL7AOFtyzp7FKfdBOErXZFdf1zCbmSX7S1
         Gi3D/zlXgcSAmHFUj1eOeuZwaUp3IWo2pkQiN5aMJ9oLlWaEbC/JLsthY8uh0zUSIuX/
         +Wdwjdpy1ZglE49PhkqGrFEr8ND1O/m8ETTHF1M9LhzWwR1c42MM3N17hUFMHcF4x6oz
         nq8M+JQy0V+Foz5AKXPRJGedCgpwGGBcRgoMW+xn/UaSgH1TgHiK82cL6Xy3ScisHeLo
         Wadb7qdxrMKrpn2H5ZvH0rq2VEvTNrLfrxKqO79a4WoohanhBf9Y/5eUckK2pm4nrHNC
         DWhg==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=foo-com.20210112.gappssmtp.com; s=20210112;
        h=content-transfer-encoding:from:mime-version:date:subject:message-id
         :to:x-original-sender:x-original-authentication-results:reply-to
         :precedence:mailing-list:list-id:list-post:list-help:list-archive
         :list-unsubscribe;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=pcMriXR70y9+xfVEs+8AoajJ0xymE3UTgGyG2NmKWWjdf05SzeYGX8w1GX3rVZ1hG+
         QGcKfhU2Ra9bmXS2sAz2g8iDtWvnoTj+TDFnMs9OWFWSLRLr/wqDqSKnQGrCUr2Y/k/f
         Q9j7R5eV2nwkYa1XIRAAJaanwMw/y5uDSv04a7bf4itRHQWv3sBD0YaK7KW9X3/UhUOc
         5sKMmmK44qVb3NMkOQdureAtqPhUthfkVfQJElPAAUh1LtMy7lyS1g1KqGcUzm1D2WaY
         wI6UkGWu9smajIb7O2SPVCCOPPCurlGWKD9eC6xdz9Av1qZZlMIyn+eNJDSik9JnG7/w
         aFiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:content-transfer-encoding:from:mime-version:date
         :subject:message-id:to:x-original-sender
         :x-original-authentication-results:reply-to:precedence:mailing-list
         :list-id:x-spam-checked-in-group:list-post:list-help:list-archive
         :list-unsubscribe;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=AwA9C6EysiLXrTEGUbzx+5vqODTMTskz7zHz2xe1quctysAvVhk58jn1xx322hfhh1
         yqXDXN/aE2MZwMrS++nikbt7lAJZfoNdpV8rKMgc0lb98yXjnd4n3tidH68eVp0cTVE2
         IYeKviGklV95rwOCQXuooqAKzN9/UJwGtH3C/NYZQnZQrGcFuIe5L5f5taRW/lby9IBN
         5u+rTEBn1UaNjDAVX13MbSpN6hjMGNmr1GaFiFSmnBeMBIH0pOzT3+UIR16Sza5unglm
         vkGD5OxPZGdH+fujwjjqrwjvmZSA1k9AhEvujR8B4FpgxGCreExueBMJcmWatPeSpmBO
         fjEA==
X-Gm-Message-State: AOAM531eWx5fz9pqU8qZS4uNtUeKxraKEAR9y1v6gcqUG3XiMb0qBByI FhppMXUtlC8OQUQYY5dXRcAfUe4+
X-Google-Smtp-Source: ABdhPJxynnRydm4JBkMLYoGgqV5RwhkwWcH4Z4w/ljLx6E0GPOqp9cSaCwpFSv4oC456afPUA5CYQA==
X-Received: by 2002:ab0:c10:: with SMTP id a16mr37954454uak.51.1639329284212;
        Sun, 12 Dec 2021 09:14:44 -0800 (PST)
X-BeenThere: [email protected]
Received: by 2002:a05:6102:2454:: with SMTP id g20ls4382592vss.4.gmail; Sun, 12 Dec 2021 09:14:43 -0800 (PST)
X-Received: by 2002:a05:6102:508c:: with SMTP id bl12mr23055020vsb.73.1639329283746;
        Sun, 12 Dec 2021 09:14:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1639329283; cv=none;
        d=google.com; s=arc-20160816;
        b=0ToKjpZRQyjPknycN2z3IfIE1Iv7fkhCJbCVUn129k6GVlQVRq7t1xSCqEXMUpWfbb
         vdYNomuAczbfJOR/0o4gBaiPYM4l2L8A8BgUcx2LW26PPeMg1OKO6xexmcO0Qu79Vp+4
         23N3Alz3gRrG44HSkGQ13CwkukROblWgUMZ72U4nO30y0w38NZk4y1aPTPhV+TuFDWsY
         RLSYc3eLKdExhzkmnEgtyDKI/kHLZ++mgu4aFbK6SB4b8uB6v4onz7ONR+/BTGVwcnIs
         pOC6Xv6GwfBXu839bAhi94H83xV7QD5NFWuh0gMm445CzVz09zeesh89Qxcm/U/fKKI0
         6jbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:message-id:subject:date:mime-version:from
         :content-transfer-encoding:dkim-signature;
        bh=4ht9G50SlYlr7BPTCuy+KjNotHQlLEXbSKghIYlF3TI=;
        b=VMzdwjpJVsJyaKxFawsaBAj83gW8hSdi5iOxGMCrQaQ39h5lkhZAM/cc4rtc3RbAt3
         ZmpKTQ0Pdgb+MgpaIOT6X5szReSt7ZVMNsjsKOe2tkfhaC94azGx4H1MdopSdDnPqZoB
         wvlUU3H16eWofWXcgKNj236adKuN0x3rzeTAKCCjNjwNfOOg5H5Y//pTOtqHc+A3XQjP
         HsGhTohABGTAy68aVCBeHeh/2R5NRy+KuI7ipqkcwO6uPpnue4mMP7B6JtGjDOaiDJXs
         7wZ/G3p4fuJPCSeQWuPD6YzK+0dg3cw5GpNQHLib70Q6g41Ws70727llGEc0Ef89B+o/
         z8BQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
Received: from st43p00im-zteg10073501.me.com (st43p00im-zteg10073501.me.com. [17.58.63.180])
        by mx.google.com with ESMTPS id x11si6141232vss.670.2021.12.12.09.14.43
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 12 Dec 2021 09:14:43 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) client-ip=17.58.63.180;
Received: from smtpclient.apple (49.sub-174-209-97.myvzw.com [174.209.97.49]) by st43p00im-zteg10073501.me.com (Postfix) with ESMTPSA id 49D5FAE07BE for <[email protected]>; Sun, 12 Dec 2021 17:14:42 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: "'The Spammer' via Hello" <[email protected]>
Mime-Version: 1.0 (1.0)
Date: Sun, 12 Dec 2021 12:14:40 -0500
Subject: Helping what I already have!
Message-Id: <[email protected]>
To: [email protected]
X-Mailer: iPhone Mail (19B74)
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.1.170-22c6f66c430a71ce266a39bfe25bc2903e8d5c8f:6.0.425,18.0.790,17.11.62.513.0000000 definitions=2021-12-12_06:2021-12-08_01,2021-12-12_06,2021-12-02_01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 mlxscore=0 malwarescore=0 clxscore=1011 spamscore=0 adultscore=0 bulkscore=0 suspectscore=0 mlxlogscore=485 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2009150000 definitions=main-2112120106
X-Original-Sender: [email protected]
X-Original-Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=1a1hai header.b=Jw3cDWAa;
       spf=pass (google.com: domain of [email protected] designates 17.58.63.180 as permitted sender) [email protected];
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=icloud.com
X-Original-From: The Spammer <[email protected]>
Reply-To: The Spammer <[email protected]>
Precedence: list
Mailing-list: list [email protected]; contact [email protected]
List-ID: <hello.foo.com>
X-Spam-Checked-In-Group: [email protected]
X-Google-Group-Id: 138202709934
List-Post: <https://groups.google.com/a/foo.com/group/hello/post>, <mailto:[email protected]>
List-Help: <https://support.google.com/a/foo.com/bin/topic.py?topic=25838>, <mailto:[email protected]>
List-Archive: <https://groups.google.com/a/foo.com/group/hello/>
List-Unsubscribe: <mailto:[email protected]>, <https://groups.google.com/a/foo.com/group/hello/subscribe>



Sent from my iPhone

为什么允许通过此电子邮件？

是 icloud.com（发件人的 SMTP 服务器）不遵守 DMARC，所以接受电子邮件，然后转发到 gmail，而 gmail 假设 icloud.com 进行了初始 DMARC 检查，所以不打扰？（对不起，我在这方面很绿。）。