Find Inbound Emails Flagged For SPF/DMARC and delivered using Splunk & Data Feeds
search cancel

Find Inbound Emails Flagged For SPF/DMARC and delivered using Splunk & Data Feeds

book

Article ID: 431166

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

You want to find inbound emails which were flagged by the SPF or DMARC checks under the Antispam detection settings but delivered.

Environment

Email Security.cloud Splunk app.

 

Cause

This can happen if the action for SPF/DMARC is set as log only,  The Email Security.cloud service stores the SPF/DMARC check decision passively in logs to help get better understanding of the email traffic, this can help while you are in testing mode for SPF/DMARC and want to move towards blocking emails failing these checks.

Resolution

The Splunk search query below will give emails which had:

  • Emails where SPF check was a soft or hard fail
  • Emails were DMARC check was a fail
  • Email was delivered

 

sourcetype="symantec:email:cloud:atp" earliest=-15d
message_info="Inbound"
action!="blocked"
(
    emailInfo.authResults.spf!="SPF_PASS" AND emailInfo.authResults.spf!="SPF_NONE"
    OR emailInfo.authResults.dmarc!="DMARC_PASS" AND emailInfo.authResults.dmarc!="DMARC_NONE"
)
| table _time sender recipient subject senderIp action emailInfo.authResults.spf emailInfo.authResults.dmarc
| sort - _time

 

Powered by Wolken Software