DMARC report for mails I didn’t send
I set up DKIM, DMARC and SPF on my domain/server a few years ago, and never touched it again since then.
Here are my DNS records (my domain is mydomain.com and my IP addresses are 1.1.1.1 and 2001::1):
mydomain.com. 0 TXT "v=spf1 mx a ptr ip4:1.1.1.1 ip6:2001::1 include:_spf.google.com ?all"
dkim._domainkey.mydomain.com. 0 TXT "v=DKIM1; k=rsa; t=y; p=mykey;"
_dmarc.mydomain.com. 0 TXT "v=DMARC1; p=none; sp=none; rua=mailto:postmaster@mydomain.com; ruf=mailto:postmaster@mydomain.com; rf=afrf; pct=100; ri=86400"
I assumed that the configuration was OK, because DMARC reports I've been receiving for all this time seemed to be fine. An example of legit and valid DMARC report I received a few days ago:
<feedback>
<report_metadata>
<org_name>google.com</org_name>
<email>noreply-dmarc-support@google.com</email>
<extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info>
<report_id>XXX</report_id>
<date_range>
<begin>1570579200</begin>
<end>1570665599</end>
</date_range>
</report_metadata>
<policy_published>
<domain>mydomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>1.1.1.1</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>mydomain.com</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>mydomain.com</domain>
<result>pass</result>
<selector>dkim</selector>
</dkim>
<spf>
<domain>mydomain.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>
Now the problem
For the first time ever, and for two days in a row, I've been receiving DMARC reports from mail.ru for emails I'm sure I didn't send. Although these DMARC reports show that both DKIM and SPF verifications failed (this should be reassuring, right?), I'm a bit worried of what it actually means. I've also checked my postfix logs, but nothing showed up.
This is the report I received this morning:
<feedback>
<report_metadata>
<org_name>Mail.Ru</org_name>
<email>dmarc_support@corp.mail.ru</email>
<extra_contact_info>http://help.mail.ru/mail-help</extra_contact_info>
<report_id>XXX</report_id>
<date_range>
<begin>1571443200</begin>
<end>1571529600</end>
</date_range>
</report_metadata>
<policy_published>
<domain>mydomain.com</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<sp>none</sp>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>50.205.119.150</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>somesubdomain.mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>somesubdomain.mydomain.com</domain>
<scope>mfrom</scope>
<result>neutral</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>46.225.251.206</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>somesubdomain.mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>somesubdomain.mydomain.com</domain>
<scope>mfrom</scope>
<result>neutral</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>66.208.117.227</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>somesubdomain.mydomain.com</header_from>
</identifiers>
<auth_results>
<spf>
<domain>somesubdomain.mydomain.com</domain>
<scope>mfrom</scope>
<result>neutral</result>
</spf>
</auth_results>
</record>
</feedback>
Is there something I should worry about?
