How did a phishing email pass SPF, DKIM and DMARC?

I entered the header in an email header parser, and it passes because it comes from an authorised and valid uber.com IP address for sending emails (50.31.36.149).

But the DKIM body signature check failed. So, it looks like the phisher got ahold of a valid Uber account and either took an existing email, and replaced the body content, or your edits modified the parts of the email that were signed.

Is there anything else in the message header/body which would conclusively determine the email to be spoofed?

Yes, that fact that it purports to be from Bank of America but sent from an Uber account.

I'd report this to Uber, actually.


From: Bank Of America <[email protected]> is the address used in the header.from field, so technically the email didn't spoof Bank of America but an Uber.com email address with a Display Name property that says Bank of America.

The email was sent via a system that is authorized to send on behalf of the uber.com domain. In this case Sendgrid. (See the DKIM signatures and the naming of the uber.com signature selector: s1).

Sendgrid allows use of API keys to send out emails. All too often these API keys fall into the wrong hands (used in clear text in public website code), and in case of Sendgrid it may mean you can send authenticated emails on behalf of the domain it corresponds to.

Indeed, as @schroeder points out, this should be reported to Uber.