电子邮件受 SPF 保护，但仍然收到来自其他 IP 的有效签名

我收到了一封垃圾邮件，发件人是[email protected]，[email protected]但“发件人”是rec15.appleandrdoidmail.mx。[email protected]这是一个别名。奇怪的是，它说是由 签名的mydomain.com！

我一直在查看电子邮件来源，并且该电子邮件通过了 DKIM 和 SPF 过滤器（没有找到 DMARC 信息）：

Assumpte:   8NUE7 Comprobante Electronico de Pago N: (94596)
SPF:    PASS amb la IP 0.0.0.0 Més informació
DKIM:   'PASS' amb el domini mydomain.com Més informació

我一直在查看邮件日志以查找连接并发现了以下情况：

Oct 20 13:32:00 mydomain postfix/smtpd[5162]: connect from rec15.appleandroidemail.mx[45.7.231.194]
Oct 20 13:32:01 mydomain postfix/smtpd[5162]: 5A04D1B5C75: client=rec15.appleandroidemail.mx[45.7.231.194]
Oct 20 13:32:01 mydomain postfix/cleanup[5164]: 5A04D1B5C75: message-id=<[email protected]>
Oct 20 13:32:01 mydomain postfix/qmgr[2202]: 5A04D1B5C75: from=<[email protected]>, size=3140, nrcpt=1 (queue active)
Oct 20 13:32:01 mydomain postfix/smtpd[5162]: disconnect from rec15.appleandroidemail.mx[45.7.231.194] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 20 13:32:07 mydomain postfix/smtpd[5180]: connect from mydomain.com[127.0.0.1]
Oct 20 13:32:07 mydomain postfix/smtpd[5180]: EA2481B5F8A: client=mydomain.com[127.0.0.1]
Oct 20 13:32:07 mydomain postfix/cleanup[5164]: EA2481B5F8A: message-id=<[email protected]>
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: EA2481B5F8A: from=<[email protected]>, size=4004, nrcpt=1 (queue active)
Oct 20 13:32:08 mydomain postfix/smtpd[5180]: disconnect from mydomain.com[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 20 13:32:08 mydomain amavis[16608]: (16608-05) Passed CLEAN {RelayedInbound}, [45.7.231.194]:50918 [45.7.231.194] <[email protected]> -> <[email protected]>, Queue-ID: 5A04D1B5C75, Message-ID: <[email protected]>, mail_id: qwEeUiSFqmai, Hits: 3.204, size: 3164, queued_as: EA2481B5F8A, 6422 ms
Oct 20 13:32:08 mydomain postfix/smtp[5165]: 5A04D1B5C75: to=<[email protected]>, orig_to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.8, delays=0.33/0.01/0/6.4, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as EA2481B5F8A)
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: 5A04D1B5C75: removed
Oct 20 13:32:08 mydomain dovecot: lmtp(5182): Connect from local
Oct 20 13:32:08 mydomain dovecot: lmtp([email protected]): 8ksOBtjmjl8+FAAAWnabiA: msgid=<[email protected]>: saved mail to INBOX
Oct 20 13:32:08 mydomain dovecot: lmtp(5182): Disconnect from local: Successful quit
Oct 20 13:32:08 mydomain postfix/lmtp[5181]: EA2481B5F8A: to=<[email protected]>, relay=mydomain.com[private/dovecot-lmtp], delay=0.15, delays=0.13/0.01/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 <[email protected]> 8ksOBtjmjl8+FAAAWnabiA Saved)
Oct 20 13:32:08 mydomain postfix/qmgr[2202]: EA2481B5F8A: removed

防晒指数配置：

mydomain.com.       86400   IN  TXT "v=spf1 ip4:xx.xx.xx.xx include:_spf.mydomain.com ~all"
mydomain.com.       86400   IN  TXT "v=spf2.0/pra ip4:xx.xx.xx.xx include:_spf.mydomain.com ~all"

密钥管理信息系统配置：

20XXXX._domainkey.mydomain.com. 82086 IN TXT    "v=DKIM1; k=rsa; p=MIGfMA0GC..."

DMARC配置：

v=DMARC1; p=reject; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]; aspf=s; adkim=s; fo=1

我已经查看了所有 DMARC xml 报告，没有发现任何45.7.231.194IP 地址的条目，也没有发现拒绝、无或隔离的条目。

在电子邮件来源中我发现：

X-Received: by 2002:a2f:a551:: with SMTP id a23mr2209527ljn.5.1603290742268;
        Tue, 20 Oct 2020 06:32:24 -0700 (PDT)
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of [email protected] designates 45.7.231.194 as permitted sender) [email protected];
       dkim=pass [email protected] header.s=20XXXX header.b=EBPdgUba
Received-SPF: pass (google.com: best guess record for domain of [email protected] designates 45.7.231.194 as permitted sender) client-ip=45.7.231.194;
...
Received: from localhost (mydomain.com [127.0.0.1]) by mydomain.com (Postfix) with ESMTP id EA2481B5F8A for <[email protected]>; Tue, 20 Oct 2020 13:32:07 +0000 (UTC)

因此，似乎有人被授权45.7.231.194以 的名义发送电子邮件mydomain.com，但我认为 SPF 就是为了这个目的，以保护某人以 的mydomain.com名义发送电子邮件。我遗漏了什么？是否配置有误？

如有任何关于如何阻止这次攻击的帮助，我们将不胜感激。