Hi, We are using O365, with multiple domains, call them main.com and subbrand.com - in the same tenant + AD domain. We have people in subbrand.com sending mail "onBehalfOn" of the [email protected] mailbox. The advantage of this is, that the recipient can see the name of the consultant who answered.
This is implemented by Microsoft by using header.from = [email protected] - And then they use Sender: [email protected] and picks the subbrand.com domain for dkim signature. Smtp.from is also [email protected] The result is, that spf is valid but unaligned, and dkim is valid but unaligned. By giving [email protected] SendAs permission on the shared mailbox, all [email protected] identity information I stripped, and we get correct aligned spf and dkim. But the recipient can't see who was original sender. To fix this, and support the SendOnBehalf I suggest that a feature is added to DMARC / DMARC validators. Have it lookup the subbrand selector on the main domain if there is a signature. Say I get a subbrand.com signature, but RFC5322.from is main.com, then looking up the selector1.subbrand.com._domainkey.main.com and validating that would solve our issues with multiple domains. It would work for this case, and could still be limited to the one DNS lookup, as DMARC would see the DKIM does not match the RFC5322.From, so before even validating it would lookup in main.com domain, using the joined s+d as a new selector. Would also make it easier to outsource other mail processing. Example of mail that could be dmarc validated this way. From: Logistik - Shared Mailbox < [email protected]> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=subbrand.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/7WJf8aDqzLc+Rk1lvDhG/l0uAPN+ _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
