So in this scenario, how is O365 denoting the DMARC failures? Is it alerting, or is it something visible only when viewing the message headers?
On Wed, Apr 18, 2018 at 12:48 PM, Ivan Kovachev via dmarc-discuss <[email protected]> wrote: > Hello Roland, > > thank you for the reply. > > I found this on Microsoft's website: > > "If you have configured your domain's MX records where EOP is not the first > entry, DMARC failures will not be enforced for your domain. > If you're an Office 365 customer, and your domain's primary MX record does > not point to EOP, you will not get the benefits of DMARC. For example, DMARC > won't work if you point the MX record to your on-premises mail server and > then route email to EOP by using a connector. " > I guess this is why we are currently not seeing any reports being sent by > Office 365 if it has Mimecast in front of it and as part of the MX record > for receiving domain. > > On 12 Apr 2018, at 20:00, [email protected] wrote: > > Send dmarc-discuss mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://dmarc.org/mailman/listinfo/dmarc-discuss > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of dmarc-discuss digest..." > > > Today's Topics: > > 1. Re: Mimecast and Office 365 (Roland Turner) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 12 Apr 2018 15:57:20 +0800 > From: Roland Turner <[email protected]> > To: [email protected] > Subject: Re: [dmarc-discuss] Mimecast and Office 365 > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8"; Format="flowed" > > On 11/04/18 22:07, Ivan Kovachev via dmarc-discuss wrote: > > Hello guys, > > I have three questions for you that I am unsure about and hoping that > someone at Microsoft will be able to help: > > First two questions are related to Mimecast acting as inbound security > gateway to O365: > > 1. When Mimecast acts as inbound gateway solution and it receives an > email, it does DMARC checks and lets the email through to O365 > environment. Even if an email passes DMARC checks at Mimecast and the > email is let through, then O365 also seems to also be doing DMARC > checks but both SPF and DKIM fail because of the change that Mimecast > does. As a results DMARC fails. My questions is, what is the best > practice here in this scenario? Is there a way to turn off DMARC > checks at O365? Mimecast suggest that it is whitelisted in O365 but > that means that all the spam will be let through as well. > > > DMARC checking should only occur at the host referred to be the MX > record as SPF is still relevant for at least some email. I believe > Office 365 has a trusted inbound relays option (i.e. Office 365 trusts > the specified hosts to filter their email) although I can't quickly find it. > > Mimecast is apparently unwilling to change their service to stop > damaging incoming messages that don't breach the policies being enforced > (they unconditionally unpack and then repack every message, rather than > only those whose contents they have reason to modify). > > 2. Would O365 send DMARC reports back to the sender in the above case? > And, if O365 sends DMARC reports back to the sender then emails will > be shown as originating from Mimecast but failing DMARC. > > > Yes and yes if you've not listed Mimecast as a trusted inbound relay. > (Assuming that the trusted inbound relays setting is not a figment of my > imagination, one would hope that Office 365 would not set feedback in > this case.) > > 3. Would O365 do DMARC checks for internal emails ie. O365 tenant > employee to another O365 tenant employee? And would it send DMARC > reports in this case? > > > Yes and hopefully yes. > > - Roland > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://dmarc.org/pipermail/dmarc-discuss/attachments/20180412/52e84e2b/attachment-0001.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > ------------------------------ > > End of dmarc-discuss Digest, Vol 72, Issue 2 > ******************************************** > > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) -- al iverson // wombatmail // miami http://www.aliverson.com http://www.spamresource.com _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
