This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Quarantined Messages / Authentication failure / DMARC

Tino Korth | DrehPunkt GmbH 10 months ago

Hello Sophos Email friends,

I'm struggling with the quarantine because there are lots of emails quarantined by "Authentication failure / DMARC".

As an example I have an email that is OK and that looks pretty good, but it's quarantined by DMARC.

The sending server is OK: https://mxtoolbox.com/SuperTool.aspx?action=mx%3akaffee-partner.de&run=toolpage

SPF is OK: https://mxtoolbox.com/SuperTool.aspx?action=spf%3akaffee-partner.de&run=toolpage

DMARC is set, but no policy is activated, so it should be OK: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3akaffee-partner.de&run=toolpage

The mail header shows

Authentication-Results: mx-01-eu-central-1.prod.hydra.sophos.com; spf=none smtp.helo=mail2.kaffee-partner.de; dkim=none; dmarc=fail (recordpolicy=none) header.from=kaffee-partner.de

How can I get more informations why the mail was quarantined by DMARC policy?

Best regards

Tino

This thread was automatically locked due to age.

Top Replies

Tom Foucha 10 months ago in reply to Tino Korth | DrehPunkt GmbH +2

In the help docs there are flow charts and logic tables that explain the check of Sender Authentication. I'd suggest reviewing those tables. https://doc.sophos.com/central/Customer/help/en-us/ManageYourProducts…

Parents

0 josepalad 10 months ago

Tino Korth | DrehPunkt GmbH Thank you for posting in the Community.
Can you please provide a screenshot of the DMARC policy setting within the Sophos Email?
Also, I can see that the mail headers show that "SPF=none" but when I check at the SPF checker, the domain does have an SPF record and have a "-all". Was it added after the fact?
The behavior you have seen may have failed because DMARC takes both SPF and DKIM results as its main consideration. So its just not about DMARC records involved here but SPF and DKIM. It seems strange that the "SPF=none" though when there is an SPF record.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 josepalad 10 months ago

Tino Korth | DrehPunkt GmbH Thank you for posting in the Community.
Can you please provide a screenshot of the DMARC policy setting within the Sophos Email?
Also, I can see that the mail headers show that "SPF=none" but when I check at the SPF checker, the domain does have an SPF record and have a "-all". Was it added after the fact?
The behavior you have seen may have failed because DMARC takes both SPF and DKIM results as its main consideration. So its just not about DMARC records involved here but SPF and DKIM. It seems strange that the "SPF=none" though when there is an SPF record.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 josepalad 10 months ago in reply to josepalad

Tino Korth | DrehPunkt GmbH Upon further testing, I think I can replicate your issue. Here's the result on my lab:
Authentication-Results: mx-01-us-west-2.prod.hydra.sophos.com; spf=none smtp.mailfrom=xxxxxxxxxxx@palad3.com; dkim=none; dmarc=fail (recordpolicy=none) header.from=palad3.com

From the looks of it, this is an expected behavior. AND I would say that it is because DMARC depends on the SPF and DKIM results. So if the domain takes part on DMARC, then they should also have SPF and DKIM entries.
IF you do not agree with this behavior from the Sophos Email DMARC checking, then a workaround would be to create a different policy to apply for the external domain which does not have DMARC checking enabled.
Another is you can get a Technical Support case created to confirm if this is indeed the expected behavior from our DMARC checking.
Regards,
Jose
Cancel
Vote Up 0 Vote Down

Cancel
0 Tino Korth | DrehPunkt GmbH 10 months ago in reply to josepalad

Hello josepalad ,

thanks for your answer!

My "Sender check" settings are ...
Cancel
Vote Up 0 Vote Down

Cancel
0 Tino Korth | DrehPunkt GmbH 10 months ago in reply to josepalad

I've sent an test email again and the mail header is still

Authentication-Results: mx-01-eu-central-1.prod.hydra.sophos.com; spf=none smtp.helo=mail.kaffee-partner.de; dkim=none; dmarc=fail (recordpolicy=none) header.from=kaffee-partner.de
Received-SPF: none receiver=mx-01-eu-central-1.prod.hydra.sophos.com; client-ip=80.149.237.34; envelope-from=<>; helo=mail.kaffee-partner.de;
Cancel
Vote Up 0 Vote Down

Cancel
0 Tino Korth | DrehPunkt GmbH 10 months ago in reply to josepalad

Generelly I'd aggree, but the DMARC policy of the domain is "none".

So it's like there's no DMARC record.

Or are I'm wrong?
Cancel
Vote Up 0 Vote Down

Cancel
+1 Tom Foucha 10 months ago in reply to Tino Korth | DrehPunkt GmbH

In the help docs there are flow charts and logic tables that explain the check of Sender Authentication. I'd suggest reviewing those

tables. https://doc.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/EmailSecurityPolicy/Authentication/SenderChecks/EmailSenderCheckSequence/index.html#sender-checks-flow-chart

Follow the flow chart for the message above -
Cancel
Vote Up +2 Vote Down

Cancel
0 Tino Korth 10 months ago in reply to Tom Foucha

Hello Tom ,

thanks a lot for this interesting structure.

I've tried to go through it but it does not solve my problem.

The pass of header content should be

There is an SPF record published that wants to reject wrong mails: https://mxtoolbox.com/SuperTool.aspx?action=spf%3akaffee-partner.de&run=toolpage

There is no DKIM record.

There is a DMARC record with no policy: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3akaffee-partner.de&run=toolpage

So I should only get an SPF failure or Deliver result.

Because there is an SPF=none in the mail header I think that SOPHOS is not able to fetch the SPF record correctly?

BR, Tino
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos 10 months ago in reply to Tino Korth

Hello Tino,

Thank you for contacting the Sophos Community, do you happen to have a case open for this? If so can you share the Case ID otherwise please open one and share the Case ID once you have it.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Tino Korth | DrehPunkt GmbH 10 months ago in reply to emmosophos

Hello emmosophos ,

I've created a case now. The case ID is 06631338.

Best regards

Tinoi
Cancel
Vote Up 0 Vote Down

Cancel
0 modezero 10 months ago in reply to Tino Korth

Tino Korth | DrehPunkt GmbH
Perhaps this documentation from Dmarcly.com will shed some light.
https://dmarcly.com/blog/why-spf-authentication-fails-none-neutral-fail-hard-fail-soft-fail-temperror-and-permerror-explained

If you go down to the "SPF none explained" part, it says "SPF none is treated as fail in DMARC: the SPF authentication check fails. This means if DKIM authentication fails too, it fails the final DMARC authentication."
Cancel
Vote Up 0 Vote Down

Cancel
0 modezero 10 months ago in reply to Tino Korth | DrehPunkt GmbH

Tino Korth | DrehPunkt GmbH
I can't seem to post the website that explains how DMARC works.. but its dmarcly(dot)com
but if you go to the "SPF none explained" section... you will see the following:

"SPF none is treated as fail in DMARC: the SPF authentication check fails. This means if DKIM authentication fails too, it fails the final DMARC authentication."

So this is a basically how DMARC behaves from what I can tell.

Regards,
Jose
Cancel
Vote Up 0 Vote Down

Cancel