Dealing with messages caught as FRAUD (DKIM/DMARC/SPF)

Created by Yves Lacombe, Modified on Mon, 04 Dec 2023 at 09:32 AM by Andrea Mendez-Febres


1. A message is classified as "FRAUD" and my end users can't release them from the digest.

2. I added a sender that was caught as "FRAUD" to my sender list (the trusted senders list) and it's still getting caught as fraud.


It's because the message is being blocked by Antispoofing. You need to add the sender's domain to the antispoofing exception list instead.   The reason you need to do this is because the new Antispoofing feature happens before the "classical" content filtering and the normal trust mechanisms do not work at this layer.

Filtering Layers (very abridged):

{ connection blocking } ==> { antispoofing } ==> { Content Filtering }

Something caught as FRAUD (DMARC/DKIM/SPF) gets classified as such at a layer that preceedes the content filtering whitelisting which is where the trusted senders list resides.

Also, all FRAUD hits are considered admin release only.

Sad Fact:  There are more and more legitimate organizations that get SPF, DKIM and DMARC wrong. Often companies as they grow, they are victim of "shadow IT" where say, the marketing department starts using a cloud product that sends mail on the company's behalf but they never informed IT to update the SPF record or apply proper DKIM policy.

To Fix:

You need to add the sending domain to the exceptions list depending on what type of hit it was.

  • For DMARC: Use the "From Header" domain
  • For DKIM: Use the "From Header" domain
  • For SPF: Use the "Envelope From" (Envelope Sender) domain