Forum Discussion
SPF, DKIM and DMARC bypassed for guest users
I manage a small non-profit using Microsoft 365 Business Basic. Most of the people on our board of directors are added as unlicensed guest users so that they can participate in Teams chats and meetings and to access our Sharepoint without using up a license.
The problem: any email sent from an internal licensed user (or shared mailbox) to one of these guest users completely bypasses our domain's SPF, DKIM and DMARC configuration, resulting in bounced emails (particularly for recipients using gmail).
Mail sent from an internal licensed user to any external address NOT registered as a guest user correctly passes SPF, DKIM and DMARC checks.
I gather that this is because guest users are viewed as "internal" despite having external email addresses, but it seems like a serious limitation if I cannot reliably send email to anyone who is a guest user.
Is there any extra configuration I can do to enable SPF, DKIM and DMARC for email to guest users?
5 Replies
Can you share an example NDR/headers?
Guest users do have a matching recipient object (Mail user/Guest mail user) within Exchange Online and so messages will be "resolved" to it first, then send to where the ExternalEmailAddress points at. This however should not result in bypassing SPF and such, unless you have some fancy routing configured, or the message passes through multiple other MTAs before reaching the recipient.
I've tried to reply three times without success. First with headers as text (that failed immediately), then with links to the headers on OneDrive (moderation black hole), and finally with headers as screenshots (another moderation black hole). If there's a trick to posting a reply with email headers, let me know.
You are correct. I jumped to the wrong conclusion when I thought I saw a pattern. I tried it again with my personal gmail account added as a guest user, and those emails go through. That said, I still have the problem with other gmail addresses bouncing.
The NDR headers:
And here are headers from a message sent to both my test guest user and one of the problematic guest users. The delivery to the former has since bounced.
Any ideas for next steps?
It seems you are correct. My conclusion that it was specific to guest users was incorrect. I added my personal gmail account as a guest user and it receives emails with SPF/DKIM/DMARC intact. That said, there's still the problem with other guest users' messages bouncing due to timing out trying to reach the gmail.com domain. I have not knowingly done any fancy routing.
The headers from an NDR: https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/EWOshJ4R13dCvKm6RlGWEjEBEZyO1pQx_1s0RSCEfGmMrQ?e=Hwh5ib
The headers from an email sent to both my test guest user and the problematic guest user: https://edistoartguild-my.sharepoint.com/:t:/p/davidgoll/Ebgv_CPUhMxChHMW36bfXvEBAE4kDz12Ow-jJakpJvw6cw?e=CN7LLd (I got these headers from the email successfully delivered to the test user; the problematic guest user has not received the email and I expect it to bounce)
