Could Valid SPF, DKIM, and DMARC Indicate Email Infrastructure Issues?

It might just be a compromised email account on their side. If someone's hijacked their DNS to set up DKIM pairs, they could manage to authenticate and relay through Truist's mail servers. Since both bbtnet and bbandt are Truist domains, it seems like these emails are indeed coming from their infrastructure, which explains the SPF passing.

I suspect it’s more of a misconfiguration than a full-on compromise. If DKIM is passing, it means the emails are signed with a key that’s supposed to be theirs. This could mean their DNS settings were altered, or their mail server that holds the private key has been compromised.

If you're receiving these messages, it's crucial to check if your mail transfer agent (MTA) is correctly validating DKIM signatures and SPF alignment. If your MTA is working fine but you have suspicious incoming mail, check their SPF record for IP alignment. If that checks out, there’s something shady going on with their signing process.

There's been a rise in Direct Send exploits lately, which could allow someone to spoof internal addresses without triggering DMARC protections. With a large organization like Truist, there’s a chance that automated systems could be misused this way, resulting in harmful emails being forwarded to clients.

I think it's essential to report this to their security team. Most likely, their infrastructure is being exploited rather than outright compromised. Possible causes could be an open relay or a compromised mail account using their legitimate mail transfer agents.