CompTIA Exam CS0-003 Topic 2 Question 41 Discussion

Actual exam question for CompTIA's CS0-003 exam

Question #: 41
Topic #: 2

A security analyst reviews a SIEM alert related to a suspicious email and wants to verify the authenticity of the message:

SPF = PASS

DKIM = FAIL

DMARC = FAIL

Which of the following did the analyst most likely discover?

AAn insider threat altered email security records to mask suspicious DNS resolution traffic.

BThe message was sent from an authorized mail server but was not signed.

CLog normalization corrupted the data as it was brought into the central repository.

DThe email security software did not process all of the records correctly.

Show Suggested Answer

Suggested Answer: B

Comprehensive and Detailed Step-by-Step The SPF = PASS result confirms the email came from an authorized server, but DKIM = FAIL indicates the message was not properly signed with the expected DomainKeys Identified Mail (DKIM) signature. DMARC = FAIL suggests that because DKIM failed, the overall email authentication failed. This scenario is consistent with a legitimate server sending an unsigned email.

CompTIA CySA+ All-in-One Guide (Chapter 5: Email Analysis)

CompTIA CySA+ Practice Tests (Domain 1.3 Email Authentication)

by Kenneth at Mar 24, 2025, 06:22 AM

Limited Time Offer

25%

Off

Get Premium CS0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Devora

3 days ago

I agree with Lavina, DKIM and DMARC failing indicates lack of proper email signing.

upvoted 0 times

...

Lavina

4 days ago

I think the analyst discovered that the message was sent from an authorized mail server but was not signed.

upvoted 0 times

...