From time to time you may notice that a forward of a calendar or meeting invite is labeled as a Domain Spoof or fails DMARC. This is sometimes due to how the forwarding button in the mail client operates. In most cases however, it is the nature of how calendar forwards work, and is a known issue in the DMARC community with the DMARC standard.
Forwarded calendar invites typically have a [FW:] tag in the subject, and sometimes may include an attachment with the extension .ics
For an explanation of why this is happening, a senior engineer here at Agari wrote an excellent blog post talking about this challenge with Google users. DMARC.org has a concise example for all mail platforms, and the IETF has written an extensive draft around the "Interoperability Issues Between DMARC and Indirect Email Flows", with the relevant section being 3.2.2.ReSenders.
Agari has made many efforts to reduce classifying these messages as domain spoofs in APD, however other security systems may still classify the messages as spoofs due to the nature of forwards and the DMARC standard.
As mentioned in the articles, there are some best practices that can help in some cases, but the long-term permanent fix is the Authenticated Received Chain (ARC) protocol which has not been finalized or implemented widely yet. At the time of writing, Google is the only platform that utilizes ARC, and only between Google and Google mail clients.
Comments
0 comments
Please sign in to leave a comment.