Dealing with messages caught as FRAUD (DKIM/DMARC/SPF)

Created by Yves Lacombe, Modified on Fri, 21 Jun at 8:50 AM by Yves Lacombe

Issues:


1. A message is classified as "FRAUD" and my end users can't release them from the digest.


2. I added a sender that was caught as "FRAUD" to my sender list (the trusted senders list) and it's still getting caught as fraud.



Answer:


It's because the message is being blocked by Antispoofing. You need to add the sender's domain to the antispoofing exception list instead.   The reason you need to do this is because the new Antispoofing feature happens before the "classical" content filtering and the normal trust mechanisms do not work at this layer.


Filtering Layers (very abridged):


{ connection blocking } ==> { antispoofing } ==> { Content Filtering }


Something caught as FRAUD (DMARC/DKIM/SPF) gets classified as such at a layer that preceedes the content filtering whitelisting which is where the trusted senders list resides.


Also, all FRAUD hits are considered admin release only.



Sad Fact:  There are more and more legitimate organizations that get SPF, DKIM and DMARC wrong. Often companies as they grow, they are victim of "shadow IT" where say, the marketing department starts using a cloud product that sends mail on the company's behalf but they never informed IT to update the SPF record or apply proper DKIM signatures or proper DMARC policies.




To Fix:


You need to add the sending domain to the exceptions list depending on what type of hit it was.


  • For DMARC: Use the "From Header" domain
  • For DKIM: Use the "From Header" domain
  • For SPF: Use the "Envelope From" (Envelope Sender) domain










PS:  Proofpoint is planning on rolling out a toggle switch that will eventually let you allow end users to release these kind of messages.