Domain-based Message Authentication, Reporting & Conformance (DMARC) is a standard that helps prevent spoofing by verifying the sender’s identity. If an email fails DMARC validation, it often means t...
Updated Jul 26, 2023
Version 3.0
Blog Post
3 MIN READ
Announcing New DMARC Policy Handling Defaults for Enhanced Email Security
Authentication-Results: spf=fail (sender IP is XXhttps://protect-us.mimecast.com/s/TcerCBBRjPuPA2EMfoaC2U?domain=40.95.48.73) smtp.mailfrom=BBB.com; dkim=pass (signature was verified) header.d=AAA.onmicrosoft.com;dmarc=fail action=oreject header.from=BBB.com;compauth=fail reason=000Received-SPF: Fail (protection.outlook.com: domain of BBB.com does not designate XX.XX.XX.XX(https://protect-us.mimecast.com/s/TcerCBBRjPuPA2EMfoaC2U?domain=40.95.48.73) as permitted sender)
These auth results tell me this:
- DKIM Signature is AAA.onmicrosoft.com , was the email original DKIM Signed by BBB.com?
If yes, was anything done on AAA.com that could invalidate that DKIM signature?(modifying subject/body/protected header)
- MailFrom was still BBB.com when landing on final recipient who rejects.
I would expect SRS to rewrite spf to AAA.com as long as auth passed on inbound for BBB.com.
I'd say most likely BBB.com auth failed on inbound and that caused AAA.com tenant to send this via Relay Pool : https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-high-risk-delivery-pool-about?view=o365-worldwide#relay-pool
This is more of an issue with overall BBB.com outbound email auth, won't fix DMARC rejection as SRS will mean MailFrom domain no longer aligns with HeaderFrom
Hope this helps point you in the right direction, if more help is needed PM me an NDR with original headers and I can have another look and perhaps give more details.