Forum Discussion
Header Envelope Fields And Tracking
Not sure if I am asking this on the proper site, but I learned a little more about what we are seeing from the DMARC reports. I would like to thank outlook[.]com for the details they include.
We had dozens of messages sent to domains being hosted on outlook[.]com, which had Domain3 reflecting our security gateway and the "scope" reporting as HELO. Many of these domains, we have not sent an email for at least a month. Fortunately, I did find a couple that we sent emails to and one domain an email was sent on the same day as this DMARC report.
So, this DMARC report had three entries for this recipient domain, two HELO's and one that seems to match the actual email sent. Now, it seems to me that our Exchange Server is, at some interval, sending HELO connections to domains that we emailed in the past, even if it is beyond 30-days. Since these are not regular email messages or connections with an Envelope From, the sending domain or Domain3 is changed to the last server in the connection.
This theory should be tested. So, my new question is how can I find, track, and/or discover these HELO connections? I reviewed Event Viewer to no avail. I cannot find a suitable Exchange Management Shell cmdlet to do this.
Does anyone have a suggestion to locate and review these HELO connections? Thanks in advance.
Justin
We adjusted our HELO DNS A records and PTR records. We also created a macro SPF lookup specifically for the HELO connections. I will continue to track our DMARC results in hopes that the above with fix our SPF failures.
Justin