We have DKIM/SPF filtering enabled but BCC stuff like this is still getting by the filters.
How can we block emails like this with ME's DKIM filtering?
Received-SPF: pass ({server}: domain of wespeed.com.br designates 40.93.21.54 as permitted sender)
client-ip=40.93.21.54
Received: from CP3P284CU006.outbound.protection.outlook.com (mail-brazilsouthazlp17012054.outbound.protection.outlook.com [40.93.21.54]) by {server} with
MailEnable ESMTPS (version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384); Fri, 8 Nov 2024 12:51:07 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
b=PEu1rXhcZ5+1PRqK3Wvo7GIUM0jbksv66xuVedcaowQ4gb6DwBiVBfyq3n/+OSwbBoBOcMdWzlscqtdE78w+v13drGvW0SzAfn6qN1XE1a72tKphDBn/b90tDxCMPpQJYosT3kicCJ/05F503VJvM/4rOS30+JfAEp0gqP2BDqHNrxcx01dW9PKa2tkbF0NMTN5A6uvvksoIpW/z/mkOf2Kk8k3jAGhfikfG0empXm9YoCCc3f749sjhu/yVtTzNIa06vz2lfssTVMZ3rBAsfG3BLtie8HR1MPuujkir2T4TpEb1GmNf4Gvhz4oK+BffU2o/j26msEGiuGGOZ7yDMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector10001;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=LlCMIr9yarAkUJzJOGs2RWmjfvgsJTkhRpiRfG8QMvc=;
b=QfQ0EARPMx3sG0DQMLYuzO4kAfuJlmBqSyaX5kIowZwZxlYdgoiLb6cxAKcbmyM329C9YQjO1v6EalcmDxUdQkt+vzBqZ1fKXcNAEnIo2lz72s1svYxR8qjEhfh3GIqmNJqJ4ef5yy3a7eSV/FWgWlfSJqslU+8K7iRJtGKuJma/S0YBAiuyVurk9arfeiTN4xuBe+vUj25R655MZzvnzPF6oQPmB16pcJujbWY45J7EJVdMBjmOGQbUprjNnkNkSJRvG4nQIvgoKb4smUXsB/6edWLb9Yy+jnymyObeAHSw2B4JM1N7QkQ7+jQKwIf188jQYxN30aXJAllJr59NXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
Received: from SmtpServer.Submit by CP8P284MB2113 with Microsoft SMTP Server
id 15.20.8137.21; Fri, 8 Nov 2024 18:51:06 +0000
Received: from CP3P284CA0138.BRAP284.PROD.OUTLOOK.COM (2603103:6a::23)
by CP8P284MB2495.BRAP284.PROD.OUTLOOK.COM (2603103:2d9::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.21; Fri, 8 Nov
2024 17:47:58 +0000
Received: from CP1PEPF00007734.BRAP284.PROD.OUTLOOK.COM
(2603103:6a:cafe::3e) by CP3P284CA0138.outlook.office365.com
(2603103:6a::23) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8137.21 via Frontend
Transport; Fri, 8 Nov 2024 17:47:58 +0000
Authentication-Results: spf=pass (sender IP is 66.211.170.92)
smtp.mailfrom=paypal.com; dkim=pass (signature was verified)
header.d=paypal.com;dmarc=pass action=none
header.from=paypal.com;compauth=pass reason=100
Received-SPF: Pass (protection.outlook.com: domain of paypal.com designates
66.211.170.92 as permitted sender) receiver=protection.outlook.com;
client-ip=66.211.170.92; helo=mx8.phx.paypal.com; pr=C
Received: from mx8.phx.paypal.com (66.211.170.92) by
CP1PEPF00007734.mail.protection.outlook.com (10.167.241.22) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.8137.17 via Frontend Transport; Fri, 8 Nov 2024 17:47:56 +0000
DKIM-Signature: v=1; a=rsa-sha256; d=paypal.com; s=pp-dkim1; c=relaxed/relaxed;
q=dns/txt; i=@paypal.com; t=1731088075;
h=From:From:Subject:Date:To:MIME-Version:Content-Type;
bh=LlCMIr9yarAkUJzJOGs2RWmjfvgsJTkhRpiRfG8QMvc=;
b=IoKLI3IObpS/M7Yh8ochZvx4Gg7E08e/v9dQiJzOT1ykqKivQBWxFKsdHk5bBabU
AEruLEUFosqgCUkrDkq5N0nCnOFJ1kwipYf2gOXSqTj6PzbdmhRXX/7Ow18VOUbZ
DX/Y0TLrMQbvlbyxa9mYfm30YfVFXzZjClSBXYZg/3HpLV2F9nctA9sKfMdtYoNI
W1NsegPoKuKSCAgQuo02neJd0ZewFME9vvPqXkjiQBfQ2sUWW998hNJW7rB2Bk58
y8nzNasYjzTyNZEkm3Uzk/B72Zd3w6kT6FIWgvgmlp8l0H35HPe2KzZBRnXcyzN6
qxe1aBJW3HNr/KfxEUp+ww==;
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Fri, 08 Nov 2024 09:47:55 -0800
Message-ID: <08.2F.02696.BCE4E276@ccg01mail08>
MIME-Version: 1.0
From: "service@paypal.com" <service@paypal.com>
To: "user@wespeed. com. br" <user@wespeed.com.br>
Subject:
=?UTF-8?B?SW52b2ljZSBmcm9tIPCdkI/wnZCa8J2QsvCdkI/wnZCa8J2QpSAoMDEyMik=?=
X-MaxCode-Template: RT000238
X-PP-Priority: 0-none-true
PP-Correlation-Id: f9225292612f3
X-PP-Email-transmission-Id: 954e7838-9df9-11ef-8bfb-1d016aa4c81f
X-PP-REQUESTED-TIME: 1731088065979
X-Email-Type-Id: RT000238
AMQ-Delivery-Message-Id: nullval
X-XPT-XSL-Name: nullval
Return-Path: <bounces+SRS=4FBqQ=SD@wespeed.com.br>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 6e9d2b63-5ef1-4e33-a657-7ea0f02c8dac:0
X-MS-TrafficTypeDiagnostic:
CP1PEPF00007734:EE_|CP8P284MB2495:EE_|CP8P284MB2113:EE_ReleasedQuarantineMessage
X-MS-Office365-Filtering-Correlation-Id: dc9bff60-bef3-4db1-92a4-08dd001d7b17
X-Microsoft-Antispam:
BCL:4;ARA:13230040|6062899009|69100299015|5082899009|2092899012|3072899012|3092899012|4092899012|5062899012|1032899013|12012899012|13102899012|13012899012|8096899003|2066899003|3613699012;
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?RUtOOUNVTi9TYU9LY3V3cDdiU0UzM1BlaE5PTDFNcWlIanMrS0FRMlA3OE04?=
=?utf-8?B?RnVhWUFJUXZhY1JyaURVR2lNQlJEY3hIb3VyYWdmeEQ5OUxhZUVwVWxvOVZF?=
=?utf-8?B?SUVPay8yUGk3ckRlc3c2L1ZsRDhCQUp5RnVpa3J5eFpDaDlqVCtQRDNYMjFa?=
=?utf-8?B?RVFsU2dmMERRR1E1UElHUEw5ZTNlT3J0WmFTZEV0MWlmdnF3cDRDNHU0UHFh?=
=?utf-8?B?bjB5QnN6Z2Q1a2gwUVorRWhscm41RlNQQk5RT2wwTUc0dnJFL1QrbFpZLzVZ?=
=?utf-8?B?SFBDUldJMEVtODNLeUJFMWNWS1RwZ0p0OVdkSENod01NVm9kcVRhT0Z2T21y?=
=?utf-8?B?b3RXY0tUTit6QzJyVll3V3drZ0kwQVliVEJkWnJaTWJNUzJreFVqOVBFUGtP?=
=?utf-8?B?V0luS09aZFhpODB5VVVBMnQrMkgxYXQ0QjRJcFVVOXMxa0QxdmtIZmU2NUhK?=
=?utf-8?B?QW9DYmN4bGZFT2w2amFxM01nMm9TeXJyUFNvc3MwT0d2MTIvSUJtYUVnZGh2?=
=?utf-8?B?S0pGalZTcGEzT3pFWFUrd2JScVFBTDNKRE43ZDIrQmUzQlkzVTltaUM3NGx0?=
=?utf-8?B?NHJJMmhvRnVEQXVuY3VlWEQ1UHhHN0RFdndMNE9ldS9NUDFocUluNVNGNkkv?=
=?utf-8?B?TVdHbEJiclU1R2trdkVLTFl3bUdkT2k2K093bjZTZUg4amoxdGNFNkV4MFpp?=
=?utf-8?B?all6bEZXeEZMRFZPYzZGeFYrVWtJQnBjWFBrTmRaTHhMTEg0MzZYRmZ6V1pU?=
=?utf-8?B?NktVcjYydTZMcXJmOGJUSm1xVkZ4MFBFWElPUlZDQmE1SG41VWwzcHo2aUVL?=
=?utf-8?B?K0l5YlluV0FUVC8zSEQxb0RYL2creUIwNnQrakFVT0N5bEFKQm1DdTdzeVJz?=
=?utf-8?B?bkRseHVmVVVwL1ZJeStESTRzd1p6dG5sRFdIdGQ3UGQrd0M4Ti80ZEE0WVZs?=
=?utf-8?B?eHlQVzBudDdrWjBTT3BBWHc4THhvcVFTOWEzQURyQVQzVkkzK1IyNFdtUzV0?=
=?utf-8?B?YVBwQ09lbm02QUtzYjQrNE9seSszMmhadmlUSitmL0NnaU85SUU5L0N2QlN4?=
=?utf-8?B?eXVZcCtaZnZ1amxhRmdSSlJ0dVgzWDBEZ2RrSzZwNXBybTZab3RmZkxnZnFv?=
=?utf-8?B?TGtQTWNtdzRTKzVlOFZUN3hDRXpMTnlBUUNoam02RDRub2JzcXllQmhDekZL?=
=?utf-8?B?ekVBMXM2SUcwOHZ2eWVxdXg3VDd6TXBJQzFkMnFSUXpLTHUxTVRKRDRwNXh6?=
=?utf-8?B?ek94dEJ1b085YXlIbzhudENJL2pEWldES0JkVUNTMURWWG5GUzZkZkJpTDBy?=
=?utf-8?B?TmtTYXp4bXE3YldQVWtYMXd5SFdKLytqUmRuaXJTV0IwSU9WQmZHMmE4WlJW?=
=?utf-8?B?SkpTYURHRUZOelRHWFRZMzRKckJ0SjhVaHZPY3FaaHcxQlEwcXZFdHlnL3hw?=
=?utf-8?B?MnkxbTVIUUoyc29YcUh6Mm03WHVFb3NpcE1KY1ZiN1Rxd1VlRzl0UTJ1aWVL?=
=?utf-8?B?b0lQQ3dZZWR2Y2kyd0xxZFhGVDZ4OGpsMUFtdFlHRUZxLytPNUNTY1V4QTRl?=
=?utf-8?B?UVFTaTlXU1JtajArRUNITUFZeWNybVFGWlBPS2lZSzNwUDVheE1ydUlHTnRn?=
=?utf-8?B?bzFpMG5mVDQrVUZJaWtDRlV6MWVqemtuYnRUVDI5cDByMnlIQWYrU0R2REZm?=
=?utf-8?B?TkkyYkk4RXg0NVB3SzExcmc0RWZEY0RTdHBiSnVsVm8zOEs4SktwU3NsUkFB?=
=?utf-8?B?UHRrZmRBN3NGN3ZqcXlSY0tkM0I0ODBLbjJmVVVuUTVva05YSWhRekZ1NGRB?=
=?utf-8?B?M01iK0VsRTdnNjQzamJnMHdmVWt0eEZDTEE4cjRLVmxER1BWdW9Ebjdqa2t5?=
=?utf-8?B?THF4MytPc016WHhQYXVaVE4zVldsYWJiM0lJa0tDYVcxMTBuKzd0d1ExZ0JX?=
=?utf-8?B?bHVzU1ppaUUyY1FkSVgrbWlKQ290Zm44QkRxV2pEZUhqUmd2QTlFWllveFNC?=
=?utf-8?B?TXZoak0wVXpBMEdrQndHYWJjcHJVR1daUkJROXlvS2xCbnJwdm5sYkNMTW5J?=
=?utf-8?B?RHkvQUNndlpheUhQc1VqUks1dzBpNHJuWG93ZXowZFl1SVhtTjZzVFZQeG4v?=
=?utf-8?B?OFg3UUJuQ3VlVHUxWVI5eGpJdEhydEVlUUZDQTBSNG4rWkdsYUlFeWhJdjNm?=
=?utf-8?B?OENURDdaM2YwZVRSdmxsN1NXYStKcnpVRkt2ODN1a2dna0plVER5clN4STF0?=
=?utf-8?B?SkljMUJ3aFI3eDFXbGd0SWdYckVoR2FlYVRJbSttYks2OVdkNUl5S2J1UGNK?=
=?utf-8?B?ZjFPUEpMRVJjWFFLTmtjQUlpempzK3dXNEt0Rk9WaWw1K1B1eC9tdjB3WkZp?=
=?utf-8?B?WlhpRUxNU00rZHJpbUVkcUpqM0s3bjhmTWhCd3NnNFJSMDZBeStaTWRHejlv?=
=?utf-8?B?em1Yc01TOFBZVWVsTlVVNVpFUENiMW5MMS9sM1I5SHI0V3pmaGY5eFVjdXN2?=
=?utf-8?B?Rkl2Z1hoWGZoSUR3NUtnWjVHUXpKTXJzSnZkb2cvenk4VWQ5NW51N0JaV0JN?=
=?utf-8?B?dURlNmVhZ0tieFZVTmtZMG1ZOExiMEhMR1A4Z3Jhd3FINlhZOENKeFRlZHFx?=
=?utf-8?B?aHJzY2grUUUxSjdLUHpRVC9JN3BGVi9SbFRoMUZ1TnJtbkdTT1FCOWYwVGtH?=
=?utf-8?B?aDd2L0g3dkpmWlFuWVVEWVdkK0plRnJIRFR4SFA4cFQ2TUp4b0JIbGhrcWtG?=
=?utf-8?Q?4rLEym1I/Z3ZhFYZ1k5WJ5i?=
X-Forefront-Antispam-Report:
CIP:66.211.170.92;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKQ;H:mx8.phx.paypal.com;PTR:mx8.phx.paypal.com;CAT:NONE;SFS:(13230040)(6062899009)(69100299015)(5082899009)(2092899012)(3072899012)(3092899012)(4092899012)(5062899012)(1032899013)(12012899012)(13102899012)(13012899012)(8096899003)(2066899003)(3613699012);DIR:INB;
X-MS-Exchange-QuarantineResubmitTime:
ZYJF6BKZg1BG/WwMMQXauorKcEiJppb0ZNoSmiuQdsIAU9LQoYhLbVoxid4fbq18h9PZEu2v4DY8eWsnrn9iqHAr7xORGUnv3zc58vqrFGCsgyQT0BAIdvAoMm29bnoxeQprGVcwEncp6b0EfGfQD41JFS3X6lbHNZ23qYm2jOnt1zIsH6ou3AbmzMcCl+nzh6kTMYJInIH81HqRzFeA1obF2wenJki4FvdqSejixj0=
X-MS-PublicTrafficType: Email
Sender: "service@paypal.com" <service@paypal.com>
X-MS-Exchange-Parent-Message-Id: <SFV2WALIKOU4.SP31HLNQITCK3@cpzbra01ws004>
Auto-Submitted: auto-generated
X-MS-Exchange-Generated-Message-Source: Antispam Quarantine Agent
X-OriginatorOrg: wespeed.com.br
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2024 17:47:56.6609
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: dc9bff60-bef3-4db1-92a4-08dd001d7b17
X-MS-Exchange-CrossTenant-Id: 6e9d2b63-5ef1-4e33-a657-7ea0f02c8dac
X-MS-Exchange-CrossTenant-AuthSource: CP1PEPF00007734.BRAP284.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CP8P284MB2113
X-ME-CountryOrigin: BR
X-Envelope-Sender: bounces+SRS=4FBqQ=SD@wespeed.com.br
X-ME-Bayesian: 0.000000
X-ME-Content: Deliver-To=Inbox
X-Read: 1
DKIM filtering not working correctly. WE NEED ARC VALIDATION
DKIM filtering not working correctly. WE NEED ARC VALIDATION
Last edited by kiamori on Fri Nov 08, 2024 7:45 pm, edited 1 time in total.
Re: DKIM filtering not working correctly.
As you can see they have passed this through o365 servers to but the dkim domain does not match the from domain.
Can we get an option to cross check from domain and dkim domain please!? ARC validation.
Something like this:
or even better,
Can we get an option to cross check from domain and dkim domain please!? ARC validation.
Something like this:
Code: Select all
FilterResult=0
If CriteriaMet([ME_HEADER_CONTAINS], "ARC-Seal", "i=") AND _
CriteriaMet([ME_HEADER_CONTAINS], "ARC-Message-Signature", "a=") AND _
CriteriaMet([ME_HEADER_CONTAINS], "ARC-Authentication-Results", "spf=pass; dkim=pass") Then
FilterResult=1
End If
Code: Select all
FilterResult=0
' Extract the DKIM Domain
Dim dkimDomain
dkimDomain = ""
If CriteriaMet([ME_HEADER_CONTAINS], "DKIM-Signature", "d=") Then
dkimDomain = ExtractDomainFromHeader([ME_MESSAGE_HEADERS], "DKIM-Signature", "d=")
End If
' Extract the SPF Domain
Dim spfDomain
spfDomain = ""
If CriteriaMet([ME_HEADER_CONTAINS], "Received-SPF", "domain of") Then
spfDomain = ExtractDomainFromHeader([ME_MESSAGE_HEADERS], "Received-SPF", "domain of")
End If
' Compare the DKIM and SPF Domains
If LCase(dkimDomain) <> LCase(spfDomain) Then
FilterResult=1
End If