> This is implemented by Microsoft by using header.from = [email protected] - > And then they use Sender: [email protected] and picks the subbrand.com > domain for dkim signature. Smtp.from is also [email protected]
To clarify, Office 365 requires the message to be attributed to a particular tenant (either a fully hosted mailbox, or attributed to a customer using a connector [TLS-cert based or IP-based]). If so, it uses the domain in the SMTP MAIL FROM to assign the d= domain in the DKIM signature. If it is <>, it uses the domain in the header.from. So in your case, you have: SMTP MAIL FROM: [email protected] From: [email protected] Sender: [email protected] DKIM-Signature: d=subbrand.com Appears in Outlook as "From: [email protected] on behalf of [email protected]" Appears in most other clients as "From: [email protected]" I'm not that familiar with the architecture of shared mailboxes, but rather than changing how DMARC works (and getting industry adoption), more likely Office 365 will play around with the From/Sender/Reply-To/Display Name to get SPF/DKIM/DMARC alignment. -- Terry -----Original Message----- From: dmarc-discuss [mailto:[email protected]] On Behalf Of Povl Hessellund Pedersen via dmarc-discuss Sent: Thursday, June 30, 2016 12:33 AM To: '[email protected]' Subject: [dmarc-discuss] SendOnBehalfOf in O365 Hi, We are using O365, with multiple domains, call them main.com and subbrand.com - in the same tenant + AD domain. We have people in subbrand.com sending mail "onBehalfOn" of the [email protected] mailbox. The advantage of this is, that the recipient can see the name of the consultant who answered. This is implemented by Microsoft by using header.from = [email protected] - And then they use Sender: [email protected] and picks the subbrand.com domain for dkim signature. Smtp.from is also [email protected] The result is, that spf is valid but unaligned, and dkim is valid but unaligned. By giving [email protected] SendAs permission on the shared mailbox, all [email protected] identity information I stripped, and we get correct aligned spf and dkim. But the recipient can't see who was original sender. To fix this, and support the SendOnBehalf I suggest that a feature is added to DMARC / DMARC validators. Have it lookup the subbrand selector on the main domain if there is a signature. Say I get a subbrand.com signature, but RFC5322.from is main.com, then looking up the selector1.subbrand.com._domainkey.main.com and validating that would solve our issues with multiple domains. It would work for this case, and could still be limited to the one DNS lookup, as DMARC would see the DKIM does not match the RFC5322.From, so before even validating it would lookup in main.com domain, using the joined s+d as a new selector. Would also make it easier to outsource other mail processing. Example of mail that could be dmarc validated this way. From: Logistik - Shared Mailbox < [email protected]> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=subbrand.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/7WJf8aDqzLc+Rk1lvDhG/l0uAPN+ _______________________________________________ dmarc-discuss mailing list [email protected] https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.dmarc.org%2fmailman%2flistinfo%2fdmarc-discuss&data=01%7c01%7ctzink%40exchange.microsoft.com%7c7e31ed10a4784499ce9f08d3a0b96ad4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=00jZ2v1ProjUbMRzA0R6WHJD28l%2bwa7eAvkdSWYi2BQ%3d NOTE: Participating in this list means you agree to the DMARC Note Well terms (https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fwww.dmarc.org%2fnote_well.html&data=01%7c01%7ctzink%40exchange.microsoft.com%7c7e31ed10a4784499ce9f08d3a0b96ad4%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=oeMFM%2biC0TeWTu%2bUCrV%2bMlFPivGqqKihiChlWslG9DQ%3d) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
