On Fri, 16 Nov 2018 at 13:45, Robert Fitzpatrick <rob...@webtent.org> wrote: > > We're having an issue with spam coming from the same company even though > SPF and DKIM is setup with DMARC to reject. Take this forwarded email > for instances.... > > > -------- Original message -------- > > From: User <u...@company.com> > > Date: 11/15/18 10:42 AM (GMT-07:00) > > To: Other User <other.u...@company.com> > > Subject: OVERDUE INVOICE > > > > Sorry for the delay…. This is an invoice reminder. The total for your item > > is $1,879.17. > > > > THX, > > > > - > > > > User > > T 123.456.7890 | O 123.456.7891 > > EMail:u...@company.com > > However, the raw headers show as this... > > > Date: Thu, 15 Nov 2018 18:35:35 +0100 > > From: User <u...@company.com> > > <arte.fin...@creativegroup.com.ec> > > To: other.u...@company.com > > Message-ID: <860909106225419267.2007038e08376...@company.com> > > Subject: OVERDUE INVOICE > > Could someone suggest a rule to match the signature with the last From > email or envelope from? Or another suggestion how this could be resolved. > > Thanks!
Please clarify what you mean by 'even though SPF and DKIM is setup with DMARC to reject'? I presume that 'company.com' does not have a DMARC p=reject policy, or else your DMARC program (e.g. opendmarc) should block forged emails from them.
