My email setup: I'm using google apps. I have records for SPF (the generic google one), DKIM (unique), and DMARC. My DMARC policy is using default values (but p=quarantine), which uses relaxed alignment mode for both SPF and DKIM as well as letting mail through if either passes (to avoid f/p of forwarding servers).
Basically, this new spam claims to come from my own domain, which it obviously isn't. Now usually this wouldn't be a problem since it should fail both SPF and DKIM. But it looks like this breed is passing (or at least not failing) SPF for some reason. I'm referring specifically to "Received-SPF" and "Authentication-Results", which makes it look like they're using a Gmail account to originate the spam, but the Gmail account itself obviously can't spoof email addresses on my domain. Later down it appears that they are, in fact, using a third party sender, but how does it pass SPF?
I'm quite confused about this header, could anyone with more experience in this area shed some light as to what's actually happening? Is there any change I can make to the DMARC policy to filter this out?
Delivered-To: email@example.com Received: by 10.223.161.66 with SMTP id q2csp29576fax; Sat, 16 Feb 2013 13:11:56 -0800 (PST) X-Received: by 10.220.116.5 with SMTP id k5mr9087041vcq.55.1361049116195; Sat, 16 Feb 2013 13:11:56 -0800 (PST) Return-Path: <firstname.lastname@example.org> Received: from 201-212-133-238.cab.prima.net.ar (201-212-133-238.cab.prima.net.ar. [184.108.40.206]) by mx.google.com with ESMTP id a1si13647855vdk.21.2013.02.16.13.11.54; Sat, 16 Feb 2013 13:11:56 -0800 (PST) Received-SPF: neutral (google.com: 220.127.116.11 is neither permitted nor denied by domain of email@example.com) client-ip=18.104.22.168; Authentication-Results: mx.google.com; spf=neutral (google.com: 22.214.171.124 is neither permitted nor denied by domain of firstname.lastname@example.org) email@example.com Message-ID: <511FF607.firstname.lastname@example.org> Date: Sat, 16 Feb 2013 18:25:48 -0300 From: <email@example.com>, <firstname.lastname@example.org>, <email@example.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:126.96.36.199) Gecko/20101027 Thunderbird/3.1.6 MIME-Version: 1.0 To: <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org> Subject: Take a spare three-hour work week in our clinic and get 580 dollars. Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit