Organizations often see DMARC compatible sources sending out a small amount of email on their behalf, while they do not use this source. In this article we will explain what is going on in these specific situations and what can be done to resolve this.
What are DMARC compatible sources?
When logged in to the DMARC Analyzer Suite, these sources are listed under the section ‘DMARC compatible sources’ within the ‘Per sending source’ overview.
DMARC compatible sources are sources which are capable of sending out DMARC compliant emails with SPF or DKIM authentication. These sources have online documentation available on how to setup SPF or DKIM for them. DMARC compatible sources are generally known as trustworthy sources, examples are: O365, Google G Suite, Yahoo, Mandrill, Mimecast, Marketo, etc. So in general an organization does not have to worry.
Are DMARC compatible sources spoofing organizations?
When DMARC compatible sources are sending out small amounts of volume on behalf of an organization, this generally indicates forwarding issues. This means an organization is not actually using these sources, but the emails are sent by one of their legitimate sources and automatically forwarded. So it looks like these DMARC compatible sources are spoofing an organization, but it is actually a case of automatic forwarding in most situations. If you’d check the details of the messages you quite often see references to this in the hostnames of the senders as these could contain words like forward, relay or fw. If a source automatically forwards emails, this can cause authentication problems. For more information about forwarding within DMARC, we refer to our article about what is forwarding within DMARC? what is forwarding within DMARC?
How can these problems be resolved?
Since it is not possible to control who automatically forwards emails, organizations cannot directly resolve this issue. The issue can be resolved by signing all emails from authorized sources with DKIM. DKIM can survive automatic forwarding and it allows to trace back the original source of these forwarded messages. This can help with analyzing the DMARC data. It is important that all sources of an organization which are allowed to send email on behalf of an organization are signed with DKIM. This should be setup in such a way that alignment is achieved. We refer to our other articles on what is DKIM and what is alignment for more information on how to start authenticating emails with DKIM.