Authentication-Results-Original email header

Copper Contributor

emails from my tenant have started getting the below

 

Authentication-Results-Original: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=domain.com;

 

as well as

Authentication-Results: spf=pass (sender IP is xx.xx..xx.xx)
smtp.mailfrom=domain.com; dkim=pass (signature was verified)
header.d=domain.com;dmarc=pass action=none
header.from=domain.com;compauth=pass reason=100

 

All the email are reported as failing SPF and DKIM, do anyone know how can I fix this?

6 Replies

Hi @cristinapalomino,

Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are email authentication mechanisms that help to prevent email spoofing and phishing. SPF verifies the sender's IP address, while DKIM verifies the sender's domain name.

 

You are experiencing email authentication issues with SPF and DKIM for your tenant's email domain. This means that some of your emails may be failing SPF and DKIM checks, which can lead to your emails being blocked or marked as spam.

 

To fix these issues, you need to ensure that your SPF and DKIM records are correctly configured. You can do this by following these steps:

  1. Check your SPF records. Make sure that your SPF records include all of the IP addresses that are authorized to send email on behalf of your domain. You can use a tool like the Microsoft 365 Domain Record Checker to test your SPF records.
  2. Check your DKIM records. Make sure that your DKIM records are correctly configured and that the DKIM signature in your email headers is valid. You can use a tool like the DKIM Signature Checker to test your DKIM records.
  3. Configure your DMARC policy. DMARC is an email authentication protocol that allows you to specify what should happen to emails that fail SPF and DKIM checks. You can use the DMARC Record Generator to create a DMARC record for your domain.
  4. Check DNS Configuration: Review your DNS records for the domain and ensure they are accurate and up-to-date. Make sure that your DKIM and SPF records are correctly published.

Once you have made the necessary changes to your SPF, DKIM, and DMARC records, you need to monitor your email authentication results to ensure that your emails are passing all of the checks.

Here are some additional links for reference:



Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

Thank you @LeonPavesic for your reply. However, I'm trying to find out why this issue is happening.
I set up SPF, DKIM and DMARC correctly but for some reason the two headers I added above are adding to my emails making SPF and DKIM fail depending what header is read.
When I analyse headers with MSToolbox, it shows valid SPF and DKIM but it shows as SPF none and DKIM none when I check on MS365 Defender > Explorer (see attachment)

Hi @cristinapalomino,

thanks for your update and the screenshot.

The image you sent shows that your email is failing DMARC validation. This is likely because your tenant's DMARC policy is set to p=reject and your domain does not pass DMARC verification.

There are two things you can do to fix this problem:

  1. Ensure that your domain passes DMARC verification. You can do this by checking your SPF and DKIM records and making sure that they are correctly configured. You can also use a tool like the Microsoft DMARC Record Generator to create a DMARC record for your domain.
  2. Change your tenant's DMARC policy to p=quarantine. This will prevent your emails from being rejected, but they will still be quarantined and reviewed by Microsoft.



 

The articles Authenticate Outbound Email to Improve Deliverability - Microsoft Community Hub and Announcing New DMARC Policy Handling Defaults for Enhanced Email Security - Microsoft Community Hub state that Microsoft has rolled-out out new DMARC policy handling defaults to enhance email security. With the new policy, Microsoft will now reject emails that fail DMARC validation if the sender's policy is set to p=reject or p=quarantine.

This means that if you do not fix the problem with your DMARC validation, your emails will be rejected by Microsoft.

I recommend that you fix the problem with your DMARC validation as soon as possible. This will help to ensure that your emails are delivered to your recipients.

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic (
LinkedIn)

Hi, thank you again @LeonPavesic 

I've checked SPF, DKIM and DMARC config and everything is correct. I've added the results from mxtoolbox analyse header, my domain as you can see pass SPF, DKIM and DMARC. However it doesn't when I check on MS Defender, as shown in the screenshot I attached earlier. 

 

Comparing a few email headers, it looks like MS Defender was taking results from ''Authentication-Results-Original" rather than from "Authentication-Results"

Finally, a really professional answer would be required instead of pushing standard HowTos to hunt for community achievements ..... and silence.
What a shame.

Authentication-Results-Original are from previous mail server. Authentication-Results are results of last receiving servers' email auth checks.
You can paste email header into dmarctester.com and find the status of SPF,DKIM and DMARC.
MXToolBox Message Analyzer has a known issue where it usually fails DKIM.