Google reports dkim passing for invalid host

Question

I set up DKIM, SPF, and DMRAC on ubunutu server a month ago. Everything seemed to be working fine, until I received a curious DMARC report. A rouge server managed to send an email that passed DKIM verification at google.

How can this happen? Is this likely a replay 'attack' using an unchanged message?

<record>
  <row>
    <source_ip>RougeIP</source_ip>
    <count>1</count>
    <policy_evaluated>
      <disposition>none</disposition>
      <dkim>pass</dkim>
      <spf>fail</spf>
    </policy_evaluated>
  </row>
  <identifiers>
    <header_from>host.com</header_from>
  </identifiers>
  <auth_results>
    <dkim>
      <domain>host.com</domain>
      <result>pass</result>
    </dkim>
    <dkim>
      <domain>host.com</domain>
      <result>pass</result>
    </dkim>
    <spf>
      <domain>host.com</domain>
      <result>fail</result>
    </spf>
  </auth_results>
</record>

score 0 · Accepted Answer · answered Apr 19 '16 at 16:45

0

Turns out DKIM is vulnerable to replay attacks, as documented here:

http://www.zdnet.com/article/dkim-useless-or-just-disappointing/

SPF failed as intended and the message was flagged properly.

answered Apr 19 '16 at 16:45

Exeter

115
2
10

Google reports dkim passing for invalid host

1 Answers1