Report Details

Report Metadata
Report ID:
6c2b0a32c8324880994a463c8dfeb98f
Domain:
liedelt.cloud
Reporter:
Enterprise Outlook (dmarcreport@microsoft.com)
Status:
processed
Created:
2026-04-02 11:58:41
Processed:
2026-04-02 11:59:15
Claude AI Analysis
MEDIUM
Summary: The domain liedelt.cloud has a strong DMARC policy (p=reject) in place with relaxed alignment mode. One email from an authorized source (IPv6: 2a00:1f78:af02:2::27) passed SPF but failed DKIM authentication. This appears to be a configuration issue rather than a spoofing attempt, as the source IP successfully passed SPF authentication.
What's Working Well
  • SPF authentication is working correctly - 100% pass rate (1/1 emails)
  • Strong DMARC policy (p=reject) is published, demonstrating commitment to email security
  • Relaxed alignment mode (r) configured for both DKIM and SPF, which is appropriate for most organizations
  • No unauthorized sending sources detected in this report
  • No emails were quarantined or rejected, indicating legitimate mail flow
  • DMARC reporting infrastructure is properly configured and receiving reports from major email providers (Enterprise Outlook)
Concrete Action Items
Investigate DKIM Failure on IPv6 2a00:1f78:af02:2::27 HIGH

Description: Determine why DKIM authentication failed for this authorized sending source. Since SPF passed, this is a legitimate mail server that needs proper DKIM configuration.

Steps to Take:

  1. Identify what mail server or service operates at IPv6 2a00:1f78:af02:2::27 (use reverse DNS: dig -x 2a00:1f78:af02:2::27)
  2. Check if this IP belongs to your infrastructure, a third-party service, or email provider
  3. Verify DKIM signing is enabled on this mail server for the domain liedelt.cloud
  4. Confirm the DKIM selector and public key in DNS match the private key used for signing
  5. Test DKIM signing by sending a test email to a checking service (e.g., mail-tester.com or dmarcian.com)
  6. Review mail server logs for DKIM signing errors or configuration issues

Affected IPs: 2a00:1f78:af02:2::27

Expected Outcome: DKIM authentication should pass for all emails from this source, achieving full SPF+DKIM alignment and 100% authentication success rate
Verify DKIM DNS Records Configuration MEDIUM

Description: Ensure DKIM public keys are correctly published in DNS and match the private keys used by sending servers.

Steps to Take:

  1. List all DKIM selectors currently in use for liedelt.cloud
  2. For each selector, verify DNS TXT record: dig TXT [selector]._domainkey.liedelt.cloud
  3. Confirm the public key format is correct (starts with 'v=DKIM1')
  4. Check key length (minimum 1024-bit, recommend 2048-bit RSA)
  5. Verify no typos or formatting issues in the DNS record
  6. If using multiple selectors, ensure the sending server is using the correct one

Affected IPs: 2a00:1f78:af02:2::27

Expected Outcome: All DKIM selectors resolve correctly in DNS with valid public keys that match signing infrastructure
Audit All Authorized Sending Sources MEDIUM

Description: Create an inventory of all legitimate email sending sources for liedelt.cloud to ensure complete authentication coverage.

Steps to Take:

  1. Document all mail servers, services, and applications authorized to send email as @liedelt.cloud
  2. Verify each source is included in the SPF record
  3. Confirm each source has DKIM signing properly configured
  4. Test authentication from each source using email authentication testing tools
  5. Create a maintenance schedule for reviewing and updating authentication records quarterly

Affected IPs: All sending infrastructure

Expected Outcome: Complete visibility of email sending infrastructure with 100% SPF and DKIM coverage
Consider Implementing Aggregate Report Monitoring LOW

Description: Set up automated monitoring and alerting for DMARC aggregate reports to quickly identify authentication issues.

Steps to Take:

  1. Evaluate DMARC monitoring services (e.g., Postmark, Dmarcian, Valimail, URIports)
  2. Configure rua= tag in DMARC record if not already present for aggregate reports
  3. Configure ruf= tag for forensic reports if detailed failure information is needed
  4. Set up alerts for authentication failure rate exceeding 5%
  5. Establish weekly review process for DMARC reports
Expected Outcome: Proactive identification of authentication issues before they impact email deliverability
Immediate Next Steps
  1. Within 24 hours: Identify the mail server at 2a00:1f78:af02:2::27 and check its DKIM configuration
  2. Within 48 hours: Verify all DKIM DNS records are correctly published and accessible
  3. Within 1 week: Test DKIM signing by sending test emails and verifying authentication results
  4. Within 1 week: Complete audit of all authorized sending sources and their authentication status
  5. Ongoing: Continue monitoring DMARC reports weekly for trends or new authentication failures
Authentication Failures:
  • {'type': 'DKIM Authentication Failure', 'ip': '2a00:1f78:af02:2::27', 'count': 1, 'details': 'Email passed SPF but failed DKIM signature verification. Since SPF passed, this is a legitimate sending source with incomplete DKIM configuration.', 'impact': "With p=reject policy, future emails may be rejected by stricter receivers. Currently showing 'disposition: none' indicating monitoring mode or override."}
Detected Anomalies:
  • {'finding': 'Policy-Action Mismatch', 'description': "Domain policy is set to 'reject' but the failed DKIM email received 'disposition: none' (no action taken). This suggests either: (1) the receiver is in monitoring mode, (2) DMARC policy override occurred, or (3) SPF pass with relaxed alignment satisfied authentication requirements.", 'risk_level': 'Low - but indicates potential confusion in expected vs actual behavior'}
General Recommendations:
  • Investigate and fix DKIM signing on the sending server at 2a00:1f78:af02:2::27 to ensure all legitimate emails pass both SPF and DKIM
  • Consider implementing DKIM key rotation and verification procedures to prevent future signature failures
  • Verify that all authorized sending sources are properly configured with both SPF and DKIM to maximize deliverability
  • Continue monitoring DMARC reports to identify any patterns in DKIM failures from this IP address
  • Document all legitimate sending IPs and ensure they have proper authentication mechanisms configured
Authentication Records (1)
Source IP Hostname / Provider Count SPF DKIM Disposition
2a00:1f78:af02:2::27 No reverse DNS 1 pass fail none
Related Alerts
Type Severity Email Sent Created
suspicious_pattern medium Yes 2026-04-02 11:59
Back to Reports