What does it mean when an unfamiliar sending source shows DKIM passing?
When reviewing your DMARC reports you may notice that occasionally DKIM authentication passes for domains you do not recognize. While it might be tempting to assume this is due to someone getting access to your DKIM key and spoofing your domain, odds are it is due to a more benign reason — email forwarding.
It is fairly common for recipients to have automatic forwarding set up for an email address. Some people like to have their work email forward to an additional email address or have an email address they no longer use automatically forward emails to a different address that they check more often.
When you send an email to a recipient that has forwarding in place, the email will get forwarded with the original DKIM signature intact. Since this mailing of the forwarded message takes place from the original recipient’s domain, it looks like that domain generated the message using your domain’s DKIM signature. DKIM then continues to pass for the forwarded message since the forwarding service does not modify the DKIM signature, allowing the message to also pass DMARC.
What should I do about it?
Unless you are seeing a very large amount of messages passing DKIM from an unfamiliar source, no action needs to be taken on these domains that show DKIM passing. If you are seeing a large volume of emails passing DKIM from an unfamiliar domain your next step would be to double check that this isn’t a source that is actually legitimate. If you find it is a legitimate source, you should then set up SPF for it to ensure it consistently passes DMARC.
The next time you see DKIM passing for a source you are not familiar with, rest assured that the chances of someone spoofing your domain using your DKIM signature is unlikely. The more likely cause is email forwarding by your recipients.