Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail Flow and DMARC's

Hopefully this is a quick question and I totally missed other comments.  Current config

Email Protection - MailFlow is configured via Sophos Central and O365 rules are there and all is working as expected

Question: If I change my Public DNS DMARC to quarantine will O365 catch it first or does that rule Sophos made still supersede anything that O365 will do (Can't completely disable O365)

Question:  Do I need the public DNS DMARC or can I do the same things within Sophos?

A lot of this is answered in discussions but they seem to go into Email Gateway discussion but doesn't seem very clear in Mail Flow configurations.

Any clarification is apricated. 

This thread was automatically locked due to age.
  • With MFR - Mailflow - Microsoft handles the first detection so in theory they could catch DMARC failures first. Rarely do I see people configure the policies for action in Microsoft and they let Sophos handle the failures and quarantine etc. In my personal domains using MFR I set my DMARC, SPF and DKIM policies at the Sophos level. In MFR you will see multiple authentication headers because of the different levels.

    The email that I received about this thread (from Central MH)

    Authentication-Results: spf=pass (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none;compauth=pass reason=100

    Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;; pr=C

    From the actual message because of the connector routing

    Authentication-Results-Original: spf=pass (sender IP is; dkim=pass (signature was verified);dmarc=pass action=none

    Received-Spf: Fail ( domain of does not designate as permitted sender); client-ip=;;

    Received-Spf: Pass ( domain of designates as permitted sender);  client-ip=;; pr=C

    I personally make it point to include and my sophos region in my SPF record to reduce failures:

    v=spf1 -all" (my instance is in uswest2 so I include that because of processing and routing.

  • This is great info, thank you.  Please correct me if I'm wrong.  I'm understanding, leave my DMRC record to "=pass" and do it's functions within Sophos Central Email Protection settings.  Is there a "how to" do the same thing the dmarc= record does? or that it's irrelevent to and to leave it as "=pass" within Sophos Email Protection?  I found some links about it and a discussion where you mention that eventually we should get to "=reject" but I believe that was in a Gateway discussion.  My apologies if I'm over complicating this.

  • The end goal no matter how you transmit/receive email should be to get to p=reject so it is not gateway/MFR dependant. Your record tells the receiver (the person you sent email to) what to do if the message fails authentication. There are only 3 options for DMARC p=none, don't do anything if the message fails, p=quarantine (quarantine) p=reject (reject). You have the option in Central Email to Conform to Sender Policy which says to honor what the senders DMARC record is, if it is p=reject then reject the message, or you can chose to "override" the recommendation from the sender and accept or quarantine the message.

    Your DMARC record tells other people what to do with your email that you are sending. Their DMARC records tells you what to do with the email you are receiving.

  • Thank you so much Mr. Foucha.  Perfect explanation.  I thought it was telling O365 what to do with it on it's way in as well.

Reply Children
No Data