Quarantined Messages / Authentication failure / DMARC

 Tino Korth | DrehPunkt GmbH Thank you for posting in the Community.
Can you please provide a screenshot of the DMARC policy setting within the Sophos Email? 
Also, I can see that the mail headers show that "SPF=none" but when I check at the SPF checker, the domain does have an SPF record and have a "-all". Was it added after the fact? 
The behavior you have seen may have failed because DMARC takes both SPF and DKIM results as its main consideration. So its just not about DMARC records involved here but SPF and DKIM. It seems strange that the "SPF=none" though when there is an SPF record.

Hello josepalad ,

thanks for your answer!

My "Sender check" settings are ...

In the help docs there are flow charts and logic tables that explain the check of Sender Authentication. I'd suggest reviewing those

tables. https://doc.sophos.com/central/Customer/help/en-us/ManageYourProducts/EmailSecurity/EmailSecurityPolicy/Authentication/SenderChecks/EmailSenderCheckSequence/index.html#sender-checks-flow-chart

Follow the flow chart for the message above -

Hello Tom ,

thanks a lot for this interesting structure.

I've tried to go through it but it does not solve my problem.

The pass of header content should be

There is an SPF record published that wants to reject wrong mails: https://mxtoolbox.com/SuperTool.aspx?action=spf%3akaffee-partner.de&run=toolpage 

There is no DKIM record.

There is a DMARC record with no policy: https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3akaffee-partner.de&run=toolpage 

So I should only get an SPF failure or Deliver result.

Because there is an SPF=none in the mail header I think that SOPHOS is not able to fetch the SPF record correctly?

BR, Tino

Hello Tino, 

Thank you for contacting the Sophos Community,  do you happen to have a case open for this? If so can you share the Case ID otherwise please open one and share the Case ID once you have it.

Regards,

Hello emmosophos ,

I've created a case now. The case ID is 06631338.

Best regards

Tinoi

Tino Korth | DrehPunkt GmbH 
Perhaps this documentation from Dmarcly.com will shed some light.
https://dmarcly.com/blog/why-spf-authentication-fails-none-neutral-fail-hard-fail-soft-fail-temperror-and-permerror-explained

If you go down to the "SPF none explained" part, it says "SPF none is treated as fail in DMARC: the SPF authentication check fails. This means if DKIM authentication fails too, it fails the final DMARC authentication."

Tino Korth | DrehPunkt GmbH 
I can't seem to post the website that explains how DMARC works.. but its dmarcly(dot)com 
but if you go to the "SPF none explained" section... you will see the following:

"SPF none is treated as fail in DMARC: the SPF authentication check fails. This means if DKIM authentication fails too, it fails the final DMARC authentication."

So this is a basically how DMARC behaves from what I can tell.

Regards,
Jose

Hello modezero ,

I understand that spf=none will fail the DKIMDMARC checks, but kaffee-partner.de has got a published als valid SPF record:

https://mxtoolbox.com/SuperTool.aspx?action=spf%3akaffee-partner.de&run=toolpage

So the mail header "SPF=none" is wrong and I think that in this case the SPF check of SOPHOS has got a problem.

The technical support suggested to put the sender domain into the whitelist of our mail setting ... but that's not the right way to solve the issue. ^^

BR, Tino

Hello modezero ,

I understand that spf=none will fail the DKIMDMARC checks, but kaffee-partner.de has got a published als valid SPF record:

https://mxtoolbox.com/SuperTool.aspx?action=spf%3akaffee-partner.de&run=toolpage

So the mail header "SPF=none" is wrong and I think that in this case the SPF check of SOPHOS has got a problem.

The technical support suggested to put the sender domain into the whitelist of our mail setting ... but that's not the right way to solve the issue. ^^

BR, Tino

Tino Korth | DrehPunkt GmbH 
Perhaps the SPF record was not present when the DMARC failed where SPF and DKIM = none.  
Can the issue be replicated again now?
If it can be replicated again, then this is definitely not how SPF result should show since there is indeed an SPF record. 
This is why I asked earlier "Also, I can see that the mail headers show that "SPF=none" but when I check at the SPF checker, the domain does have an SPF record and have a "-all". Was it added after the fact? "