CompTIA Exam CS0-003 Topic 2 Question 41 Discussion

Actual exam question for CompTIA's CS0-003 exam

Question #: 41
Topic #: 2

A security analyst reviews a SIEM alert related to a suspicious email and wants to verify the authenticity of the message:

SPF = PASS

DKIM = FAIL

DMARC = FAIL

Which of the following did the analyst most likely discover?

AAn insider threat altered email security records to mask suspicious DNS resolution traffic.

BThe message was sent from an authorized mail server but was not signed.

CLog normalization corrupted the data as it was brought into the central repository.

DThe email security software did not process all of the records correctly.

Show Suggested Answer

Suggested Answer: B

Comprehensive and Detailed Step-by-Step The SPF = PASS result confirms the email came from an authorized server, but DKIM = FAIL indicates the message was not properly signed with the expected DomainKeys Identified Mail (DKIM) signature. DMARC = FAIL suggests that because DKIM failed, the overall email authentication failed. This scenario is consistent with a legitimate server sending an unsigned email.

CompTIA CySA+ All-in-One Guide (Chapter 5: Email Analysis)

CompTIA CySA+ Practice Tests (Domain 1.3 Email Authentication)

by Kenneth at Mar 24, 2025, 06:22 AM

Limited Time Offer

25%

Off

Get Premium CS0-003 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Bobbye

3 months ago

You know, I bet the analyst was just sitting there, staring at the screen, wondering if they should call the IT guy or order a pizza. Option B is the winner, but I could go for a slice right about now.

upvoted 0 times

Kerry

2 months ago

I wonder if the IT guy likes pizza too.

upvoted 0 times

...

Nguyet

2 months ago

Definitely, a slice would hit the spot right now.

upvoted 0 times

...

Garry

2 months ago

Yeah, that makes sense. Maybe they should order that pizza after all.

upvoted 0 times

...

Adell

2 months ago

I think the message was sent from an authorized mail server but was not signed.

upvoted 0 times

...

Leonida

3 months ago

Haha, the analyst must have been like, 'Wait, is this a real alert or just a prank?' Option B is the way to go, but where's the fun in that?

upvoted 0 times

Chaya

2 months ago

User 2: Yeah, that sounds like the most likely scenario. The analyst must have been relieved!

upvoted 0 times

...

Quiana

3 months ago

User 1: I think the email was sent from an authorized server but wasn't signed.

upvoted 0 times

...

Lazaro

3 months ago

Alright, let's see... SPF passes, DKIM fails, DMARC fails. Sounds like an authorized server but a missing signature. Option B it is!

upvoted 0 times

...

Tracey

3 months ago

Oh man, I bet the analyst was sweating bullets trying to figure this one out. Option B seems like the clear choice, but you never know with these tricky security questions.

upvoted 0 times

...

Lauran

3 months ago

You know, I bet the security analyst is kicking themselves for not double-checking the email logs. Option D is probably the way to go here.

upvoted 0 times

...

Marva

3 months ago

I believe the answer is B, as SPF passing and DKIM/DMARC failing points to lack of proper email authentication.

upvoted 0 times

...

Pearline

3 months ago

Could it be that the email security software did not process all of the records correctly?

upvoted 0 times

...

Tashia

3 months ago

Hmm, if the SPF passed but the DKIM and DMARC failed, it seems like the message was sent from an authorized server but not properly signed. Option B seems the most likely.

upvoted 0 times