Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 4 replies
  • Subscribers 17 subscribers
  • Views 2463 views
  • Users 0 members are here
Options
Suggested

Mail Flow and DMARC's

FiftyPeso

Hopefully this is a quick question and I totally missed other comments.  Current config

Email Protection - MailFlow is configured via Sophos Central and O365 rules are there and all is working as expected

Question: If I change my Public DNS DMARC to quarantine will O365 catch it first or does that rule Sophos made still supersede anything that O365 will do (Can't completely disable O365)

Question:  Do I need the public DNS DMARC or can I do the same things within Sophos?

A lot of this is answered in discussions but they seem to go into Email Gateway discussion but doesn't seem very clear in Mail Flow configurations.

Any clarification is apricated. 



Added TAGs
[edited by: Raphael Alganes at 3:39 AM (GMT -7) on 14 Mar 2024]
  • +1

    With MFR - Mailflow - Microsoft handles the first detection so in theory they could catch DMARC failures first. Rarely do I see people configure the policies for action in Microsoft and they let Sophos handle the failures and quarantine etc. In my personal domains using MFR I set my DMARC, SPF and DKIM policies at the Sophos level. In MFR you will see multiple authentication headers because of the different levels.

    The email that I received about this thread (from Central MH)

    Authentication-Results: spf=pass (sender IP is 54.240.6.152) smtp.mailfrom=eu-west-1.amazonses.com; dkim=pass (signature was verified) header.d=mail.community.sophos.com;dmarc=pass action=none header.from=mail.community.sophos.com;compauth=pass reason=100

    Received-SPF: Pass (protection.outlook.com: domain of eu-west-1.amazonses.com designates 54.240.6.152 as permitted sender) receiver=protection.outlook.com; client-ip=54.240.6.152; helo=a6-152.smtp-out.eu-west-1.amazonses.com; pr=C

    From the actual message because of the connector routing

    Authentication-Results-Original: spf=pass (sender IP is 54.240.6.152) smtp.mailfrom=eu-west-1.amazonses.com; dkim=pass (signature was verified) header.d=mail.community.sophos.com;dmarc=pass action=none

    Received-Spf: Fail (protection.outlook.com: domain of eu-west-1.amazonses.com does not designate 104.47.70.100 as permitted sender) receiver=protection.outlook.com; client-ip=104.47.70.100; helo=NAM10-BN7-obe.outbound.protection.outlook.com;

    Received-Spf: Pass (protection.outlook.com: domain of eu-west-1.amazonses.com designates 54.240.6.152 as permitted sender) receiver=protection.outlook.com;  client-ip=54.240.6.152; helo=a6-152.smtp-out.eu-west-1.amazonses.com; pr=C

    I personally make it point to include protection.outlook.com and my sophos region in my SPF record to reduce failures:

    v=spf1 include:spf.protection.outlook.com include:_spf_uswest2.prod.hydra.sophos.com -all" (my instance is in uswest2 so I include that because of processing and routing.

  • 0 in reply to Tom Foucha

    This is great info, thank you.  Please correct me if I'm wrong.  I'm understanding, leave my DMRC record to "=pass" and do it's functions within Sophos Central Email Protection settings.  Is there a "how to" do the same thing the dmarc= record does? or that it's irrelevent to and to leave it as "=pass" within Sophos Email Protection?  I found some links about it and a discussion where you mention that eventually we should get to "=reject" but I believe that was in a Gateway discussion.  My apologies if I'm over complicating this.

  • +1 in reply to FiftyPeso

    The end goal no matter how you transmit/receive email should be to get to p=reject so it is not gateway/MFR dependant. Your record tells the receiver (the person you sent email to) what to do if the message fails authentication. There are only 3 options for DMARC p=none, don't do anything if the message fails, p=quarantine (quarantine) p=reject (reject). You have the option in Central Email to Conform to Sender Policy which says to honor what the senders DMARC record is, if it is p=reject then reject the message, or you can chose to "override" the recommendation from the sender and accept or quarantine the message.

    Your DMARC record tells other people what to do with your email that you are sending. Their DMARC records tells you what to do with the email you are receiving.

  • 0 in reply to Tom Foucha

    Thank you so much Mr. Foucha.  Perfect explanation.  I thought it was telling O365 what to do with it on it's way in as well.

Unfiltered HTML