Suspicious DKIM Result

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Microsoft 365 Emails

Detection Modules

Email

Detector Tags

Spoofing

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

The email contains a suspicious DKIM entry, showing either an unexpected verification result (none, fail, or policy) or a mismatched signing domain, which may indicate potential tampering or spoofing activity.

Attacker's Goals

Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.

Investigative actions

  • Check the email address for any unusual spellings, missing letters, or unknown domains.
  • Examine the sender's IP address and reputation, and check why DKIM didn't pass.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.

Variations

Known domain DKIM deviation

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

  • An email was sent from a commonly seen domain in the organization, that has historically passed DKIM checks, but returned a suspicious DKIM result of fail
  • This deviation may indicate an attempt to spoof or impersonate a legitimate external sender.
  • Such sudden DKIM outcome from a previously trusted external domain warrants further investigation.

Attacker's Goals

Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.

Investigative actions

  • Check the email address for any unusual spellings, missing letters, or unknown domains.
  • Examine the sender's IP address and reputation, and check why DKIM didn't pass.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.


Lack DKIM signature from typically signing domains

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

  • An email was sent from a domain that has historically passed DKIM checks, but returned a suspicious DKIM result of none
  • A none DKIM result implies on an unsigned email, which is atypical for domains with previous signed messages.
  • This deviation may indicate an attempt to spoof or impersonate a legitimate external sender.
  • Such sudden DKIM outcome from a previously trusted external domain warrants further investigation.

Attacker's Goals

Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.

Investigative actions

  • Check the email address for any unusual spellings, missing letters, or unknown domains.
  • Examine the sender's IP address and reputation, and check why DKIM didn't pass.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.


DKIM results lacking sender correlation

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

  • An email was sent from a commonly seen domain that has historically passed DKIM checks and has no indication of proper signing from the email's sender
  • This deviation may indicate an attempt to spoof or impersonate a legitimate external sender.
  • Such sudden DKIM outcome from a previously trusted external domain warrants further investigation.

Attacker's Goals

Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.

Investigative actions

  • Check the email address for any unusual spellings, missing letters, or unknown domains.
  • Examine the sender's IP address and reputation, and check why DKIM didn't pass.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.


Known domain suspicious DKIM result

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Impersonation (T1656)

Severity

Informational

Description

  • An email was sent from a commonly seen domain that had no other suspicious DKIM outcomes for the past 30 days.
  • This may indicate an attempt to spoof or impersonate a legitimate external sender.

Attacker's Goals

Impersonate internal users or familiar individuals and trick them into clicking on malicious links or attachments.

Investigative actions

  • Check the email address for any unusual spellings, missing letters, or unknown domains.
  • Examine the sender's IP address and reputation, and check why DKIM didn't pass.
  • Verify whether the sender's IP address has appeared in different log sources before, and if it is recognizable.
  • If the message contains attachments/links, scrutinize them for any suspicious indications.
  • Monitor further actions taken, such as file downloads or access to potentially malicious links.