CompTIA CySA+ (CS0-003) — Question 370

A security analyst reviews a SIEM alert related to a suspicious email and wants to verify the authenticity of the message:

SPF = PASS -

DKIM = FAIL -

DMARC = FAIL -

Which of the following did the analyst most likely discover?

Answer options

• A. An insider threat altered email security records to mask suspicious DNS resolution traffic.
• B. The message was sent from an authorized mail server but was not signed.
• C. Log normalization corrupted the data as it was brought into the central repository.
• D. The email security software did not process all of the records correctly.

Correct answer: B

Explanation

The correct answer is B, as it indicates that while the email originated from a legitimate server, it lacked a valid DKIM signature, resulting in a failure. Options A, C, and D suggest issues with email security records or processing, which do not directly relate to the specific SPF, DKIM, and DMARC results presented.