Forum Discussion
SPF, DKIM and DMARC bypassed for guest users
Can you share an example NDR/headers?
Guest users do have a matching recipient object (Mail user/Guest mail user) within Exchange Online and so messages will be "resolved" to it first, then send to where the ExternalEmailAddress points at. This however should not result in bypassing SPF and such, unless you have some fancy routing configured, or the message passes through multiple other MTAs before reaching the recipient.
I've tried to reply three times without success. First with headers as text (that failed immediately), then with links to the headers on OneDrive (moderation black hole), and finally with headers as screenshots (another moderation black hole). If there's a trick to posting a reply with email headers, let me know.
You are correct. I jumped to the wrong conclusion when I thought I saw a pattern. I tried it again with my personal gmail account added as a guest user, and those emails go through. That said, I still have the problem with other gmail addresses bouncing.
The NDR headers:
And here are headers from a message sent to both my test guest user and one of the problematic guest users. The delivery to the former has since bounced.
Any ideas for next steps?
It seems you are correct. My conclusion that it was specific to guest users was incorrect. I added my personal gmail account as a guest user and it receives emails with SPF/DKIM/DMARC intact. That said, there's still the problem with other guest users' messages bouncing due to timing out trying to reach the gmail.com domain. I have not knowingly done any fancy routing.
The headers from an NDR: https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/EWOshJ4R13dCvKm6RlGWEjEBEZyO1pQx_1s0RSCEfGmMrQ?e=Hwh5ib
The headers from an email sent to both my test guest user and the problematic guest user: https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/Ebgv_CPUhMxChHMW36bfXvEBAE4kDz12Ow-jJakpJvw6cw?e=CN7LLd (I got these headers from the email successfully delivered to the test user; the problematic guest user has not received the email and I expect it to bounce)
Okay, I was premature in saying it was all guest users. Messages to my own gmail account that I temporarily added as a guest user do go through. There goes that theory. That said, several other guest users exhibit this issue. I haven't set up any fancy routing configuration.
https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/EWOshJ4R13dCvKm6RlGWEjEBEZyO1pQx_1s0RSCEfGmMrQ?e=Hwh5ib (the message had timed out after no reply from domain gmail.com)
https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/Ebgv_CPUhMxChHMW36bfXvEBAE4kDz12Ow-jJakpJvw6cw?e=CN7LLd The message was delivered to the former and not to the latter (but I don't have that NDR yet).
