Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Answers 1 answer
  • Subscribers 19 subscribers
  • Views 11086 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Quarantined Messages / Authentication failure / DMARC

Tino Korth | DrehPunkt GmbH

Hello Sophos Email friends,

I'm struggling with the quarantine because there are lots of emails quarantined by "Authentication failure / DMARC".

As an example I have an email that is OK and that looks pretty good, but it's quarantined by DMARC.

The sending server is OK: https://mxtoolbox.com/SuperTool.aspx?action=mx%3akaffee-partner.de&run=toolpage 

SPF is OK: https://mxtoolbox.com/SuperTool.aspx?action=spf%3akaffee-partner.de&run=toolpage

DMARC is set, but no policy is activated, so it should be OK: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3akaffee-partner.de&run=toolpage 

The mail header shows

Authentication-Results: mx-01-eu-central-1.prod.hydra.sophos.com; spf=none smtp.helo=mail2.kaffee-partner.de; dkim=none; dmarc=fail (recordpolicy=none) header.from=kaffee-partner.de

How can I get more informations why the mail was quarantined by DMARC policy?

Best regards

Tino



This thread was automatically locked due to age.
Parents
  • 0

      Thank you for posting in the Community.
    Can you please provide a screenshot of the DMARC policy setting within the Sophos Email? 
    Also, I can see that the mail headers show that "SPF=none" but when I check at the SPF checker, the domain does have an SPF record and have a "-all". Was it added after the fact? 
    The behavior you have seen may have failed because DMARC takes both SPF and DKIM results as its main consideration. So its just not about DMARC records involved here but SPF and DKIM. It seems strange that the "SPF=none" though when there is an SPF record.

  • 0 in reply to josepalad

      Upon further testing, I think I can replicate your issue. Here's the result on my lab:
    Authentication-Results: mx-01-us-west-2.prod.hydra.sophos.com; spf=none smtp.mailfrom=xxxxxxxxxxx@palad3.com; dkim=none; dmarc=fail (recordpolicy=none) header.from=palad3.com

    From the looks of it, this is an expected behavior. AND I would say that it is because DMARC depends on the SPF and DKIM results. So if the domain takes part on DMARC, then they should also have SPF and DKIM entries.
    IF you do not agree with this behavior from the Sophos Email DMARC checking, then a workaround would be to create a different policy to apply for the external domain which does not have DMARC checking enabled.
    Another is you can get a Technical Support case created to confirm if this is indeed the expected behavior from our DMARC checking. 
    Regards,
    Jose


  • 0 in reply to josepalad

    I've sent an test email again and the mail header is still

    Authentication-Results: mx-01-eu-central-1.prod.hydra.sophos.com; spf=none smtp.helo=mail.kaffee-partner.de; dkim=none; dmarc=fail (recordpolicy=none) header.from=kaffee-partner.de
    Received-SPF: none receiver=mx-01-eu-central-1.prod.hydra.sophos.com; client-ip=80.149.237.34; envelope-from=<>; helo=mail.kaffee-partner.de;

  • 0 in reply to josepalad

    Generelly I'd aggree, but the DMARC policy of the domain is "none".

    So it's like there's no DMARC record.

    Or are I'm wrong? Stuck out tongue winking eye

Reply Children
No Data
Unfiltered HTML