0

I'm still learning infrastructure stuff and need to ask a question which relates to DMARC. A user in the organisation has an app which is sending marketing messages to staff within the business. The messages leave the network and come back in, but are detected as SPAM.

I have had a look and it seems that we would need to get the IP address of the source to be whitelisted through DMARC.

We have a DMARC record on external DNS and we have a DKIM policy. I can verify this from a combination of using online checker tools, the message headers from an email and looking at the DNS records. Does this mean that in order to allow the messages from the user's app, I will only need to add the IP address of the source to the SPF record?

Is there more steps involved? If so, would someone be king to point me in the right direction please?

UPDATE:

I had a look at the Dynamics 365 Marketing app and it there was a message suggesting to look at the article below:

https://docs.microsoft.com/en-gb/dynamics365/marketing/mkt-settings-authenticate-domains

I got the user to go to "Settings > Advanced settings > Marketing settings > Authenticated domains" in dynamics and they have added the domain for the organisation.

This generated the DNS records that need to be added.

What I am confused about is that the txt record has a host name of the top level domain of the organisation. If I add that to the DNS Zone in Azure will it cause any problems or issues with the mail flow or anything else?

RLBChrisBriant
  • 595
  • 1
  • 7
  • 22
  • 1
    What are you seeing in the DMARC reports for the disposition of the of the outgoing e-mails, and more importantly the reason for the disposition? Note that SPF and DKIM are NOT in any way binding on the recipient mail server, and you should run a blacklist check on your outbound IP address(es). Still further, you should set a DNS A and/or AAAA record for the e-mail server domain, e.g. mail.domain.com (doesn't really matter) for EACH outbound IP address, and have your service provider add a corresponding PTR record (with TTL of 24 hours) on each outbound IP address. – Colt Jan 31 '21 at 10:40
  • 1
    Finally, you should sanitize and share your DMARC and SPF records (edit your question to include) so users here can check syntax, and verify intended result. – Colt Jan 31 '21 at 10:47
  • If it is your organization's internal e-mail server that is treating the messages as SPAM, look there to see why. – Colt Jan 31 '21 at 10:54
  • We use Office 365 so the messages are being marked as SPAM by that. Am I going down the wrong path with DMARC? In the message headers for a test email, it says dkim=fail. Is that the reporting you are referring to? Sorry, I'm not that experienced with DMARC so this is a bit hard for me to grasp. The user's app is in Dynamics. Could there be multiple IP addresses? – RLBChrisBriant Jan 31 '21 at 11:31
  • For how DMARC works and is setup see the [DMARC Overview](https://dmarc.org/overview/), and other resources at that site as well as [RFC 7489](https://tools.ietf.org/html/rfc7489), which will fill in the gaps for your particular deployment. If you are trying to send e-mail from a dynamic IP address you are going to have problems ... that is how spammers send e-mail. – Colt Jan 31 '21 at 15:41
  • If you are sending from one or more IP addresses that are actually assigned by the ISP to your organization, but are labeled as "dynamic" in reverse DNS records, that is fixable by getting the ISP to create a PTR pointing to the A record of the sending mail server as previously noted. – Colt Jan 31 '21 at 15:42
  • If you look through the resources identified for you, you will see that in a typical setup SPF and DKIM can both be strictly applied while DMARC passes so long as either SPF or DKIM passes. If your DKIM is failing, you should find out what is wrong with your setup. Note also (see referenced documentation) that the DMARC policy (instruction to receiving server) can allow e-mail to pass as you test your setup, and simply report results back to you until you are confident that you have not inadvertently blocked all of your email. **Also see same documentation for setting up reporting.** – Colt Jan 31 '21 at 15:51
  • If set up correctly these tools (and proper reverse DNS entries) will go a long way to getting your e-mail through, but you can very easily screw yourself with this also (e.g. block all outgoing e-mail from your organization). You should _make sure that you actually understand ALL of the official documentation_ before fooling around with these, as opposed to following some online guide. **Set up DNS (on appropriate IP addresses), get removed from any blacklists, set up DMARC in reporting only mode, and collect results. Your _specific_ problems can then be addressed by the community here.** – Colt Jan 31 '21 at 15:59
  • Many thanks for your help on this I will have a look at those documents. – RLBChrisBriant Jan 31 '21 at 19:54
  • I've added some more details into the main question as I was looking at this today. Are you able to take a look? I think it's okay, but not sure exactly if the TXT record it is asking to add is right. – RLBChrisBriant Feb 01 '21 at 18:19

0 Answers0