Genuine Spoofing - further question

DaNmAN 201 Reputation points
2021-05-04T12:09:03.54+00:00

Hi

I raised a request recently and I accepted answer and it was closed.

I have a further question though.

https://learn.microsoft.com/en-us/answers/questions/378681/genuine-spoofing.html

The original question was

On our customer facing site we have a contact form for users to fill in. This contact form is managed by Sendinblue.

When users complete this form an email is sent to a shared mailbox within our domain.

Sendinblue have spoofing in place so that when the email comes into our shared mailbox it appears to have come from the user that filled in this form (they add their email into the form)

EOP is correctly picking this up as spoofing and sends these emails to the junk folder in the shared mailbox.

We are considering creating a new anti spam policy to resolve this and targeting only the shared mailbox and including an allow for @smtp-relay.sendinblue.com

Doing this however would open this mailbox up to more junk.

Would this be the best way to approach a situation like this?

The response I received was to use a transport rule targeting @smtp-relay.sendinblue.com and to use DMARC as this would be more secure

My question is though if the email is being spoofed then would the dmarc not be pointing to the user who filled in the form rather than sendinblue?

Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,042 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,208 questions
0 comments No comments
{count} votes

10 answers

Sort by: Most helpful
  1. Andy David - MVP 138K Reputation points MVP
    2021-05-04T12:23:37.817+00:00

    Hey, no DMARC applies to the sending server.

    If the sending org is sending as a user in your org, then add the sending servers IP send range to your SPF record.

    that way, it will pass DMARC. Ask the vendor what IPs they send from and add that to your SPF record.

    Hope that makes sense...

    0 comments No comments

  2. DaNmAN 201 Reputation points
    2021-05-04T13:14:05.327+00:00

    Hi Andy

    Thanks again

    Are you suggesting we do the above along with the transport rule? Or instead of?


  3. KyleXu-MSFT 26,196 Reputation points
    2021-05-05T07:26:30.383+00:00

    @DaNmAN

    If you think the “allowed domain name” in transport rule isn't safety enough. You can add the sender IP into connection filtering: Configure connection filtering


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  4. DaNmAN 201 Reputation points
    2021-05-05T11:45:01.4+00:00

    Thanks guys appreciate the info

    To muddy the water a little.

    Our current DMARC record is set to Quarantine. Our security team have requested we change this to Reject.

    The concern is we have lots of these contact forms in place so if we set the DMARC to reject would this then affect these emails arriving from these forms?

    0 comments No comments

  5. Andy David - MVP 138K Reputation points MVP
    2021-05-05T12:52:25.35+00:00

    No, it wont affect it. Reject means "Reject" messages that fail DMARC. If you add the sending IPs to your SPF record, they will PASS DMARC :)

    And I would not recommend adding the IPs to Connection Filtering. That defeats the whole purpose of the transport rule. All you care about is that it passes DMARC and if you add the sending IPs to your SPF record in DNS, it will.

    0 comments No comments