Email delivery problem involving DMARC policy

Question

Hi,

I'm looking for a good category to ask this question, but can't seem to find one. My question is regarding emails sent to outlook and related email addresses, sometimes being rejected when they shouldn't be.

We've been sending marketing emails for many years via Amazon SES, and in the past we have had some issues with forwarded emails not passing SPF validation because the forwarding server IP doesn't match our IP - that I understand and it makes sense. Recently, Microsoft seems to have made some changes, including respecting DMARC records: https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email/ba-p/3878883

We notice now that we are getting different type of delivery failures, with the following message: "Access denied, sending domain [example.com] does not pass DMARC verification and has a DMARC policy of reject." However, the email headers also indicate that both SPF and DKIM passed, and it doesn't appear to be a email forwarding related problem. Our DNS records are all correct. It seems to be an error that DMARC verification failed, or I'm not understanding the headers. I would like to send the email headers to an admin / support at Microsoft to take a look at. What is the best channel for this?

Thanks, Andrew

Answer 1

I got a similar problem with email being sent from client's file sharing service getting quarantined. My DMARC is set to quarantine so when my users upload documents to client's file sharing service, an email notification is sent to both the client and our user. The email looks like the following:

From: our-user @ our-domain.com

To: our-user @ our-domain.com

and that email gets quarantined.

My solution is to add new entries in the Tenant Allow/Block Lists to allow "internal spoofing". So an email:

From: our-user @ our-domain.com

To: our-user @ our-domain.com

from the IP address on the Tenant Allow/Block Lists is allowed to be sent to user's Inbox.

Add new entry into the list (never mind the invalid IP... it's just an example):

Answer 2

Hi Andrew

I'm Diane and I'm happy to help you today.

Do you have SES in your SPF record? Is your DMRC record set to reject?

Let me know how it goes, I'm here to help you further if needed.

-- Diane

Answer 3

Hi Andrew I'm Diane and I'm happy to help you today. Do you have SES in your SPF record? Is your DMRC record set to reject? Let me know how it goes, I'm here to help you further if needed. -- Diane

Thanks for your reply. Yes, SES is in our SPF record, and DMARC is set to reject.

Here are the email headers. I've attempted to remove all identifying information. RECIPIENT_EMAIL is the email address we are sending to, and OUR_DOMAIN is the domain that's in our records etc.

This doesn't seem to be a very big issue, as after finishing our mass email send - there were only seven of these bounces out of probably thousands of outlook and hotmail addresses. Nevertheless, I would like to understand if there's a way we can fix it, or if it is out of our control. As I said, the email rejection message says "Ac cess denied, sending domain [OUR_DOMAIN] does not pass DMARC verification" However this doesn't seem to be consistent with the headers as I don't see a reason for the rejection.

---

Original message headers:

Received: from AS8P250MB0379.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:37f::17) by AS8P250MB0201.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:378::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.26; Wed, 13 Dec 2023 11:22:06 +0000

Resent-From: ******@msn.com

Received: from AS8P250MB0379.EURP250.PROD.OUTLOOK.COM ([::1]) by AS8P250MB0379.EURP250.PROD.OUTLOOK.COM ([fe80::33f0:efbc:9a8a:9ec2%4]) with Microsoft SMTP Server id 15.20.7091.022; Wed, 13 Dec 2023 11:22:06 +0000 Authentication-Results: spf=pass (sender IP is 54.240.48.130) smtp.mailfrom=amazonses.com; dkim=pass (signature was verified) header.d=OUR_DOMAIN.com;dmarc=pass action=none header.from=OUR_DOMAIN.com;compauth=pass reason=100 Received-SPF: Pass (protection.outlook.com: domain of amazonses.com designates 54.240.48.130 as permitted sender) receiver=protection.outlook.com; client-ip=54.240.48.130; helo=a48-130.smtp-out.amazonses.com; pr=C X-IncomingTopHeaderMarker: OriginalChecksum:C51D9C4854F07BB2014CEA5EA1A8BCC1E8F2B4AB42490DCAE5121024CC0AB133;UpperCasedChecksum:E7A6E80B40CC4455790443470A2B71111931E37DD258F9C2A521F54CDCC1E90F;SizeAsReceived:1780;Count:15

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=4n6mil5m2aokdhhj32stqxmtg3f5qlx7; d=OUR_DOMAIN.com; t=1702466515; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=NdeEwfegHNijlYO5sqqBMJc02DF3Sr9k1r8s/a5UfPU=; b=SIGNATURE

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1702466515; h=Date:To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=NdeEwfegHNijlYO5sqqBMJc02DF3Sr9k1r8s/a5UfPU=; b=SIGNATURE

Date: Wed, 13 Dec 2023 11:21:55 +0000 To: ******@msn.com

From: OUR_FROM_ADDRESS

Reply-To: OUR_REPLY_TO_ADDRESS Subject: OUR SUBJECT

Message-ID: <******@email.amazonses.com>

X-Mailer: Sendy (https://sendy.co)

List-Unsubscribe: OUR_UNSUBSCRIBE_URL MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1_7e6f0441177234e04dda46d09e17c259" Content-Transfer-Encoding: 8bit Feedback-ID: 1.us-east-1.kjXrcDalMJMpz7CCW9L7doA0XT2FretAQArr48haQmY=:AmazonSES X-SES-Outgoing: 2023.12.13-54.240.48.130

X-IncomingHeaderCount: 15

Return-Path: sales@OUR_DOMAIN.com

X-EOPAttributedMessage: 0

X-EOPTenantAttributedMessage: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa:0

X-MS-PublicTrafficType: Email

X-MS-TrafficTypeDiagnostic: CO1NAM11FT047:EE_|AM8P250MB0172:EE_|AS8P250MB0379:EE_|AS8P250MB0201:EE_

X-MS-UserLastLogonTime: 12/13/2023 11:04:35 AM X-MS-Office365-Filtering-Correlation-Id: 55ef3a35-2222-48e4-17b6-08dbfbcdb713

X-MS-Exchange-EOPDirect: true X-Sender-IP: 54.240.48.130 X-SID-PRA: SALES@OUR_DOMAIN.COM X-SID-Result: PASS

X-Microsoft-Antispam: BCL:1; X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Dec 2023 11:21:55.8750 (UTC)

X-MS-Exchange-CrossTenant-Network-Message-Id: 55ef3a35-2222-48e4-17b6-08dbfbcdb713

X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa

X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT047.eop-nam11.prod.protection.outlook.com

X-MS-Exchange-CrossTenant-AuthAs: Anonymous

X-MS-Exchange-CrossTenant-FromEntityHeader: Internet

X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000

X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P250MB0172

X-MS-Exchange-Transport-EndToEndLatency: 00:00:09.1591982

X-MS-Exchange-Processed-By-BccFoldering: 15.20.7091.020 X-MS-Exchange-Inbox-Rules-Loop: ******@msn.com

X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-e3d53.templateTenant

Answer 4

This doesn't seem to be a very big issue, as after finishing our mass email send - there were only seven of these bounces out of probably thousands of outlook and hotmail addresses.

It looks like it is a random thing. The header looks good.

Are the rejections random or the same recipients each send?

The error isn't a general "we don't want your mail" message - and if they marked it as junk, Sendy will not send to that address again.

Answer 5

It looks like it is the same recipients each time.

As I think I said before, this is reminiscent of a problem we've had for years, where if an outlook user had forwarded their email address, the validation wouldn't pass. That problem I understood. It is about the same percentage of emails that we see currently having this new problem. I was looking at the "Resent by" header and thinking that perhaps that indicates that the message is being forwarded, but the original headers preserved.

Anyways, I appreciate your time taking a look at it. Maybe it will remain a mystery.

Andrew