Forum Discussion
SPF, DKIM and DMARC bypassed for guest users
Can you share an example NDR/headers?
Guest users do have a matching recipient object (Mail user/Guest mail user) within Exchange Online and so messages will be "resolved" to it first, then send to where the ExternalEmailAddress points at. This however should not result in bypassing SPF and such, unless you have some fancy routing configured, or the message passes through multiple other MTAs before reaching the recipient.
It seems you are correct. My conclusion that it was specific to guest users was incorrect. I added my personal gmail account as a guest user and it receives emails with SPF/DKIM/DMARC intact. That said, there's still the problem with other guest users' messages bouncing due to timing out trying to reach the gmail.com domain. I have not knowingly done any fancy routing.
The headers from an NDR: https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/EWOshJ4R13dCvKm6RlGWEjEBEZyO1pQx_1s0RSCEfGmMrQ?e=Hwh5ib
The headers from an email sent to both my test guest user and the problematic guest user: https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/Ebgv_CPUhMxChHMW36bfXvEBAE4kDz12Ow-jJakpJvw6cw?e=CN7LLd (I got these headers from the email successfully delivered to the test user; the problematic guest user has not received the email and I expect it to bounce)