Question receiving phishing emails

[dzistemas]

Server operating system version

Ubuntu 16

Plesk version and microupdate number

Plesk Obsidian v18.0.34

Hello ,
Emails are arriving impersonating the identity of internal emails.
Why doesn't the dmarc or spf system of plesk stop it?

This is header

Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
webserver-143-55.grupoinova.es
X-Spam-Level:
X-Spam-Status: No, score=-5.8 required=7.0 tests=BAYES_00,
HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_DNSWL_HI,RDNS_NONE,SPF_HELO_NONE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.2
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from webserver-143-55.grupoinova.es (localhost.localdomain [127.0.0.1])
by webserver-143-55.grupoinova.es (Postfix) with ESMTP id 635A62B45EF0
for <[email protected]>; Wed, 8 Feb 2023 09:00:05 +0100 (CET)
Authentication-Results: webserver-143-55.grupoinova.es;
dmarc=fail (p=NONE sp=NONE) smtp.from=azfamilyflorist.com header.from=moldtechsl.es;
spf=pass (sender IP is 127.0.0.1) [email protected] smtp.helo=webserver-143-55.grupoinova.es
Received-SPF: pass (webserver-143-55.grupoinova.es: localhost is always allowed.) client-ip=127.0.0.1; [email protected]; helo=webserver-143-55.grupoinova.es;
Received: from webserver-143-55.grupoinova.es ([217.61.143.57])
by webserver-143-55.grupoinova.es (webserver-143-55.grupoinova.es [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id HIIrPyjSxTpz for <[email protected]>;
Wed, 8 Feb 2023 09:00:04 +0100 (CET)
Received: from p3plwbeout16-06.prod.phx3.secureserver.net (p3plsmtp16-06-2.prod.phx3.secureserver.net [173.201.193.64])
by webserver-143-55.grupoinova.es (Postfix) with ESMTPS id 033162B45EEE
for <[email protected]>; Wed, 8 Feb 2023 09:00:01 +0100 (CET)
Received-SPF: pass (webserver-143-55.grupoinova.es: domain of azfamilyflorist.com designates 173.201.193.64 as permitted sender) client-ip=173.201.193.64; [email protected]; helo=p3plwbeout16-06.prod.phx3.secureserver.net;
Received: from p3plgemwbe16-04.prod.phx3.secureserver.net ([173.201.193.25])
by :WBEOUT: with SMTP
id PfN0p6vv9LVjqPfN0pApRe; Wed, 08 Feb 2023 00:59:58 -0700
X-CMAE-Analysis: v=2.4 cv=FvTAQ0nq c=1 sm=1 tr=0 ts=63e3567e
a=nNQjsLeFNlFf8ZEpWh7W3A==:117 a=C1J9Q5C8-2MA:10 a=tJEoxdAfGegA:10
a=IkcTkHD0fZMA:10 a=m04uMKEZRckA:10 a=M51BFTxLslgA:10
a=-hGdK08GpahVcLt5FoUA:9 a=gMX2rfZsLK-g-3Jd:21 a=_W_S_7VecoQA:10
a=QEXdDO2ut3YA:10 a=6GNBm1jHBFyoEnMTZuYf:22
X-SECURESERVER-ACCT: [email protected]
X-SID: PfN0p6vv9LVjq
Received: (qmail 6488 invoked by uid 99); 8 Feb 2023 07:59:58 -0000
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
X-Originating-IP: 198.57.26.40
User-Agent: Workspace Webmail 6.12.14
Message-Id: <20230208005956.c031a153a55c76a5a7f402c0ae5dfe07.c456458e8b.wbe@email16.godaddy.com>
From: "=?UTF-8?Q?=C3=81ngel=20Cejudo?=" <[email protected]>
X-Sender: [email protected]
Reply-To: "=?UTF-8?Q?=C3=81ngel=20Cejudo?=" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Pago
Date: Wed, 08 Feb 2023 00:59:56 -0700
Mime-Version: 1.0
X-CMAE-Envelope: MS4xfJ2aQ1cH3ku0DWSXOuJ93C4ZI/QAP/uQCRLfiVX7C6rUP7Ap5gROoBuEfDPv1+YibpEEcdGSfzz71m3Qm7X7oxrZSNnZu1erd7cWxSFKvgFvmVXDSJ/f
rp4qgNd/vBh49LoA0BuS7E9IEDlKnbiVVeQ5xh/qDmcoKM6iEzZ3uB97SnxDdGs9t0I5KcH5+A6zPjKQJiVcpC5DpeaDbW/DLfvUBTYz4tWzNPxNi/EwnxD0
jxiBAqjjX0sHK3Z8IIH+BQ==

 

[dzistemas]

Hi ,
Here "dmarc=fail" , in this mail header.
Because don´t stop for plesk ¿?

 

[Kaspar]

The domain owner can specify what policy the receiving server has to apply if the DMARC check fails.

dmarc=fail (p=NONE sp=NONE) smtp.from=azfamilyflorist.com header.from=moldtechsl.es;

In this case the policy (p=none) is set to do nothing (none). So the server follows the policy and does nothing.

If you want a stricter policy change the DMARC DNS record and replace p=none with p=reject.

More information on DMARC can be found here: What is a DMARC Policy? | P=Reject | P=none