This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 62%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
We are working towards switching our company domain's DMARC record from p=none to p=reject, and have Exchange On-Prem (2016) and Exchange Online Protection as our front end SMTP gateway. One of our bigger concerns is how p=reject will affect On-Prem distribution groups with external contacts as members. It's my understanding that this could cause DMARC to fail when an external member replies to the group and others receive this reply externally - it will have a Header From of johndoe@externalsender.com and an Envelope From of InternalDomain.com and cause such messages to be considered spoofing attempts by most spam filters, causing messages to be rejected or quarantined due to lack of alignment even though the messages are DKIM signed. We therefore are concerned we may see widespread complaints once we switch over.
I've seen some discussion of a few ways of mitigating this - one being ARC (which is being implemented via EOP this year - https://m365admin.handsontek.net/microsoft-defender-for-office-365-exchange-online-protection-customizable-authenticated-received-chain-arc-configuration/) but that may not help us given our mailboxes and groups are hosted on-prem. Another possibility is header rewriting via our Edge servers (https://learn.microsoft.com/en-us/exchange/architecture/edge-transport-servers/address-rewriting?view=exchserver-2019), which would be great if we could only target external replies to DLs. Finally, a third costlier option would be switching our DLs to an external ListServ provider that is DMARC compliant - something we could certainly consider if that ends up being our best option.
Has this issue been mitigated in any other fashion I'm not aware of? What have others done to avoid this pain point? I imagine this would be affecting lots of companies as more and more spam filters put an emphasis on DMARC passing.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 67%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Just like what you said above, seems no better choice to resolve this issue.
ARC tries to solve that, but for the time being it only supports O365 recipients.
And For address rewriting, we cannot specify only target external replies to DLs.