Ceaseless report domain linked to email

Answer these questions to help the Community help you with Security questions.

What is the domain name?

Have you searched for an answer?
No I contacted the provider

Please share your search results url:

When you tested your domain, what were the results?
No malicious software (Sucuri, kaspersky) no blocklist

Describe the issue you are having:
Since yesterday I receive abuse reports, according to my host provider ifastnet linked to pharmacy spam. Ifastnet blocked email sending (so no mail scripts can use their servers), and my MX records point to Protonmail, but abuse reports go to iFastnet. My Protonmail account does not seem compromised

What error message or number are you receiving?
N/A

What steps have you taken to resolve the issue?

1. Deleting MX record not pointing to Protonmail
2. Blocking any email scripts on website host ifastnet

Was the site working with SSL prior to adding it to Cloudflare?
Yes

What are the steps to reproduce the error:
N/A

Have you tried from another browser and/or incognito mode?
N/A

Please attach a screenshot of the error:

That is a DMARC report that you requested be sent to your mailbox when you published your DMARC policy at _dmarc.coscienzamaschile.com.

Depending on the volume of mail that claims to be from your domain and arrives at a provider that sends DMARC reports, an inbox can become quickly overwhelmed with such messages. It is best practice to not use a personal mailbox as the rua in a DMARC policy. The rua is sent aggregate DMARC reports in machine-readable XML format. They are meant to automatically processed by an unattended mailbox with software attached to further aggregate the reports.

You may want to read more about DMARC.

Thanks, so what do you suggest to do? Ignore the reports and block further ones? If I ignore the reports what can be the problems (website or email bloacklisted or blocked etc.)?

Why would you block the reports when you asked for them? If you don’t like where they are being delivered, update the rua to a more sensible address, such as one assigned to you by a DMARC monitoring service. If you aren’t going review your DMARC report data, and dont want any reports sent, you simply can omit any rua from your DMARC policy, although I do not recommend that because it makes it much harder to know when you’re DMARC policy is causing you problems.

Before you do anything else, you need to delete one of the two DMARC records. It doesn’t matter which. Just delete one. Then fix the other one so that it tells reporters where you really want them to send their reports.

Both of the links in my earlier reply will lead you to plenty of resources to help you compete your task.

Thank you but my question is: if I ignore the reports, what can happen? Site blocked or blocklisted or else?
Thanks

You don’t even have to accept DMARC reports, so why would anything happen if you ignore DMARC reports? You cannot control those who fraudulently send email impersonating your domain name. This means that one of the main reasons for reviewing those reports is to see if your emails are being affected. This can include things like adding a new email provider and forgetting to set up SPF and DKIM for them.

I cannot offer you any assurances that you won’t wind up on a blocklist due to any actions you take or fail to take. Anyone can create a blocklist for any reason and put anything they want in it.

I see that you still haven’t deleted the extra DMARC record. You really need to do that yesterday. As long as you have two DMARC records published you have bigger problems than spamming your inbox with DMARC report emails.

Delete both existing _dmarc TXT records and add only one back with the following:

v=DMARC1; p=none;

That should eventually stop the report emails. If you decide that you want to make further use of DMARC at a later date, choose a DMARC monitoring service and follow their instructions.

Thank you, I understood that my website or email provider may NOT be affected by the spam sending and that spammers may just use my domain name sending emails from THEIR servers. Is that correct?
I set SPF and DKIM on DNS records, they point to Protonmail.
I still want to receive DMARC reports (they are not frequent for now). I have cancelled one TXT record and left my address in the other one

You may only have one DMARC record if you care about it actually working. I think it is good that you want to see the data in the reports. Sending them to your inbox is an extremely terrible way to collect those reports. I strongly encourage you to use a DMARC reporting service to make the data more useful.

If you are certain that you want to keep receiving them in your inbox, then keep whichever DMARC record has that address and delete the other one.

Thanks! Can you suggest any free reliable DMARC reporting service?

Cloudflare has one. It is still in beta and has some elements outdie of the core that should be avoided. Don’t let it manage your SPF records. It tries to flatten them, wich is something to be avoided.

I currently use either paid dmarcian or free Cloudflare.

You may find some other free options such as Report-URI or Postmark, but they are limited.

Thank you. How can I avoid Cloudflare managing SPF (in TXT record) if my domains are on Cloudflare?
Currently SPF is run by Protonmail (Cloudflare TXT record points to Protonmail SPF)

Don’t confuse Cloudflare DNS with Cloudflare DMARC Management dynamically creating your SPF records. You can still create and maintain your own SPF records in Cloudflare DNS while using Cloudflare DMARC Management.

Asking questions is important, but I expect it to make more sense once you try it yourself and begin to gain a more complete understanding of what each piece does.

I have a Protonmail SPF record but spam emails seems to use a legitimate IP. Please check the report. I am a newbye, I donp0t know what to do, if the IP is legitimate does it mean that the spam originates from protonmail servers or is it spoofed? Or is it my website infected with malicious code?

<feedback>
 <report_metadata>
 <org_name>GoDaddy.com</org_name>
 <email><[email protected]></email>
 <report_id>www.coscienzamaschile.com-1709413822</report_id>
 <date_range>
 <begin>1709296907</begin>
 <end>1709296907</end>
 </date_range>
 </report_metadata>
 <policy_published>
 <domain>www.coscienzamaschile.com</domain>
 <adkim>r</adkim>
 <aspf>r</aspf>
 <p>none</p>
 <sp>none</sp>
 <pct>100</pct>
 </policy_published>
 <record>
 <row>
 <source_ip>82.163.176.44</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>www.coscienzamaschile.com</header_from>
 </identifiers>
<auth_results>
 <spf>
<domain>**sv88.ifastnet.com**</domain>
<result>none</result>
</spf>
 </auth_results>
</record>
</feedback>

You actually have 2 SPF records, which you can’t have. This makes your SPF policy invalid.

dig +short coscienzamaschile.com txt
"v=spf1 include:_spf.protonmail.ch +ip4:31.22.4.169 +a +mx +ip4:31.22.4.48 -all"
"v=spf1 ip4:31.22.4.169 ip4:31.22.4.48 include:coscienzamaschile.com ~all"

You need to delete the second record (the one without protonmail).
From your first record, you probably also want to remove the +a and +mx parts.

Please check now if everything is correct.
The spam emails seem to come from a legitimate (allowed IP), what does it mean?
Thanks

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.