Share via

Genuine Spoofing - further question

DaNmAN 201 Reputation points
2021-05-04T12:09:03.54+00:00

Hi

I raised a request recently and I accepted answer and it was closed.

I have a further question though.

https://learn.microsoft.com/en-us/answers/questions/378681/genuine-spoofing.html

The original question was

On our customer facing site we have a contact form for users to fill in. This contact form is managed by Sendinblue.

When users complete this form an email is sent to a shared mailbox within our domain.

Sendinblue have spoofing in place so that when the email comes into our shared mailbox it appears to have come from the user that filled in this form (they add their email into the form)

EOP is correctly picking this up as spoofing and sends these emails to the junk folder in the shared mailbox.

We are considering creating a new anti spam policy to resolve this and targeting only the shared mailbox and including an allow for @smtp-relay.sendinblue.com

Doing this however would open this mailbox up to more junk.

Would this be the best way to approach a situation like this?

The response I received was to use a transport rule targeting @smtp-relay.sendinblue.com and to use DMARC as this would be more secure

My question is though if the email is being spoofed then would the dmarc not be pointing to the user who filled in the form rather than sendinblue?

Exchange Online
Exchange Online

A cloud-based service included in Microsoft 365, delivering scalable messaging and collaboration features with simplified management and automatic updates.

Exchange | Exchange Server | Management
Exchange | Exchange Server | Management

The administration and maintenance of Microsoft Exchange Server to ensure secure, reliable, and efficient email and collaboration services across an organization.

0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 160.2K Reputation points MVP Volunteer Moderator
    2021-05-05T12:52:25.35+00:00

    No, it wont affect it. Reject means "Reject" messages that fail DMARC. If you add the sending IPs to your SPF record, they will PASS DMARC :)

    And I would not recommend adding the IPs to Connection Filtering. That defeats the whole purpose of the transport rule. All you care about is that it passes DMARC and if you add the sending IPs to your SPF record in DNS, it will.

    Was this answer helpful?

    0 comments
  2. DaNmAN 201 Reputation points
    2021-05-05T11:45:01.4+00:00

    Thanks guys appreciate the info

    To muddy the water a little.

    Our current DMARC record is set to Quarantine. Our security team have requested we change this to Reject.

    The concern is we have lots of these contact forms in place so if we set the DMARC to reject would this then affect these emails arriving from these forms?

    Was this answer helpful?

    0 comments
  3. KyleXu-MSFT 26,406 Reputation points
    2021-05-05T07:26:30.383+00:00

    @DaNmAN

    If you think the “allowed domain name” in transport rule isn't safety enough. You can add the sender IP into connection filtering: Configure connection filtering

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments
  4. DaNmAN 201 Reputation points
    2021-05-04T13:14:05.327+00:00

    Hi Andy

    Thanks again

    Are you suggesting we do the above along with the transport rule? Or instead of?

    Was this answer helpful?

  5. Andy David - MVP 160.2K Reputation points MVP Volunteer Moderator
    2021-05-04T12:23:37.817+00:00

    Hey, no DMARC applies to the sending server.

    If the sending org is sending as a user in your org, then add the sending servers IP send range to your SPF record.

    that way, it will pass DMARC. Ask the vendor what IPs they send from and add that to your SPF record.

    Hope that makes sense...

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.