Share via

Spoofing, Mailers and DMARC

JohnB67 21 Reputation points
2022-06-17T08:08:41.157+00:00

Hi All

I understand if my company wants to use a mailing company to send mass emails that there are issues around these emails arriving in recipients inbox due to these emails being flagged as 'spoofing'

For example an org we are working with have started using Sengrid to send mass emails to both internal and external staff.

Both the internal emails and external emails are going to junk. The orgs anti spam policy has spoofing emails setting 'send to users junk' and I am assuming the external emails are going into junk due to the same spoofing reason.

We have contacted Sengrid and they have provided us with DKIM records to add to the orgs external DNS for that domain and that should allow sengrid to 'send as' that org.

I had assumed that it would Sengrids IP address we would have to add the domains external DNS records. Will DKIM do the same job?

If so will adding Sengrids DKIM be enough to ensure external emails to domains like yahoo for example will go into the users inbox?

My worry is that even with SPF and DKIM in place if the 'From' Field is different from the 'return path' then even if DKIM and or SPF passes the orgs internal policy will still see these emails as spoofing and will still junk it.

So my questions are as follows if someone with knowledge of this can assist?

  1. Will adding Sengrids DKIM into the domains external DNS allow these emails to bypass spam filteting on external emails? Will this officially 'sign' these emails as coming from the domain itself rather then Sengrid?
  2. What's the difference in using Sengrids SPF or using their DKIM records in the domains external DNS? Is it better to use both?
  3. For internal emails because the from field will be different from the return path should we then look at utilising Defender or exchange tools to resolve this? I don't want to exclude the sending email address from spam filtering as has been suggested to me. That would bypass all stacks of spam filtering and imo is a last resort. It it suggested here that we use a mail flow rule or is there any spoofing tools in Office365 we can use that would allow sengrid to spoof as the domain?

Hope that makes sense :)

Exchange | Exchange Server | Management

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2022-06-17T15:45:49.65+00:00
    1. If they are stamping the DKIM correctly, and also sending as your domain in the FROM: header ( not the return-path for DKim) , then they should be correctly aligned and pass DMARC. To pass DKIM alignment: https://mxtoolbox.com/dmarc/dkim/dkim-alignment. Note, just because a message passes DMARC doesnt mean the recipient will allow it. you have no control over that.
    2. Its better to use both in most cases. Confirm with SendGrid that no other org can compromise those sending IPs and add to your SPF as well if so. If the return-path and the FROM will not match, then SPF will fail DMARC alignment however
    3. I would create a transport rule or use the Tenant Allow List and add the sending IPs as an allowed spoof: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-tenant-allows?view=o365-worldwide#create-spoofed-sender-allow-entries-using-microsoft-365-defender

    or for a rule:

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365?view=o365-worldwide#recommended-use-mail-flow-rules

    You should also setup DMARC to make this all come together:

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email?view=o365-worldwide

    0 comments
  2. JohnB67 21 Reputation points
    2022-06-21T07:05:12.843+00:00

    Thanks Andy

    So if I am adding sengrid sending email address into the tenant allow for spoofing it should be added like follows?

    <Spoofed user>, <Sending infrastructure>.

    So the spoofed user is our domain

    I am unsure what email address to put into the sending infrastructure. See below this is from the email header of one of the spoofed emails. The sending infrastructure is sengrid but they are using a return path of thinksmart.com?

    compauth=fail reason=000
    Return-Path: bounces+6640241-e10c-our.user=******@em2429.thinksmart.com
    From Address: ******@ourdomain.com
    Protection Policy Category: SPOOF

    14 received-spf Pass (protection.outlook.com: domain of em2429.thinksmart.com designates 168.245.109.52 as permitted sender) receiver=protection.outlook.com; client-ip=168.245.109.52; helo=o1.email.thinksmart.com;

    15 authentication-results spf=pass (sender IP is 168.245.109.52) smtp.mailfrom=em2429.thinksmart.com; dkim=pass (signature was verified) header.d=thinksmart.com;dmarc=fail action=quarantine header.from=ourdomain.co.uk;compauth=fail reason=000

    0 comments
  3. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2022-06-21T11:38:36.78+00:00

    The sending infrastructure woudld be:
    SendGrid should be able to tell what IPs these will come from as well

    The domain found in a reverse DNS lookup (PTR record) of the source email server's IP address (for example, fabrikam.com).
    If the source IP address has no PTR record, then the sending infrastructure is identified as <source IP>/24 (for example, 192.168.100.100/24).
    A verified DKIM domain.

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-worldwide

    213366-image.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.