Home

DMARC failure on forwarded SharePoint Online emails

%3CLINGO-SUB%20id%3D%22lingo-sub-143879%22%20slang%3D%22en-US%22%3EDMARC%20failure%20on%20forwarded%20SharePoint%20Online%20emails%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-143879%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHey%2C%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EI%20have%20a%20number%20of%20Exchange%20Online%20mailboxes%20set%20to%20forward%20to%26nbsp%3Bdifferent%26nbsp%3BGmail%20and%20Outlook.com%20addresses%20via%26nbsp%3Bmail%20flow%20configuration.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFrom%20Monday%20(08%2F10%2F2018)%2C%20all%20forwarded%20mail%20from%20no-reply%40sharepointonline.com%20(the%20default%20from-address%20of%20SharePoint%20Online%20used%20for%20alerts%20and%20workflow%20email)%20has%20ended%20up%20in%20the%20spam%2Fjunk%20folder%20of%26nbsp%3Bthe%20recipient%20account.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20appears%20that%20the%20forwarded%20mails%20are%20failing%20DMARC%20so%20are%20being%20quarantined%20by%20the%20recipient%20mailbox.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHeader%3A%3C%2FP%3E%0A%3CPRE%3EAuthentication-Results%3A%20spf%3Dpass%20(sender%20IP%20is%20213.199.154.180)%0Asmtp.mailfrom%3Dmytenant.onmicrosoft.com%3B%20outlook.com%3B%20dkim%3Dpass%20(signature%20was%0Averified)%20header.d%3Dmytenant.onmicrosoft.com%3Boutlook.com%3B%20dmarc%3Dfail%0Aaction%3Doreject%20header.from%3Dsharepointonline.com%3B%0A%0AReceived-SPF%3A%20Pass%20(protection.outlook.com%3A%20domain%20of%20mytenant.onmicrosoft.com%0Adesignates%20213.199.154.180%20as%20permitted%20sender)%0Areceiver%3Dprotection.outlook.com%3B%20client-ip%3D213.199.154.180%3B%0Ahelo%3DEUR01-DB5-obe.outbound.protection.outlook.com%3B%3C%2FPRE%3E%0A%3CP%3EThe%20way%20I%20understand%20it%2C%20DKIM%20and%20SPF%20are%20passing%20but%20DMARC%20is%20failing%20because%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eheader.d%26nbsp%3B%3C%2FEM%3Eaddress%20does%20not%20match%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CEM%3Eheader.from%3C%2FEM%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eaddress.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20that%20about%20right%3F%20Is%20there%20any%20way%20around%20this%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20understand%20that%20I%20need%20to%20add%20a%20DKIM%20record%20for%20sharepointonline.com%20to%20my%20domain%20but%20I'm%20just%20using%20the%20default%20mytenant.onmicrosoft%20domain.%20I'm%20not%20using%20a%20custom%20domain.%20Surely%20Microsoft%20should%20have%20configured%20this%20already%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20any%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-143879%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Will Speirs Lewis
Regular Visitor

Hey,

 

I have a number of Exchange Online mailboxes set to forward to different Gmail and Outlook.com addresses via mail flow configuration. 

 

From Monday (08/10/2018), all forwarded mail from no-reply@sharepointonline.com (the default from-address of SharePoint Online used for alerts and workflow email) has ended up in the spam/junk folder of the recipient account.

 

It appears that the forwarded mails are failing DMARC so are being quarantined by the recipient mailbox.

 

Header:

Authentication-Results: spf=pass (sender IP is 213.199.154.180)
smtp.mailfrom=mytenant.onmicrosoft.com; outlook.com; dkim=pass (signature was
verified) header.d=mytenant.onmicrosoft.com;outlook.com; dmarc=fail
action=oreject header.from=sharepointonline.com;

Received-SPF: Pass (protection.outlook.com: domain of mytenant.onmicrosoft.com
designates 213.199.154.180 as permitted sender)
receiver=protection.outlook.com; client-ip=213.199.154.180;
helo=EUR01-DB5-obe.outbound.protection.outlook.com;

The way I understand it, DKIM and SPF are passing but DMARC is failing because the header.d address does not match the header.from address.

 

Is that about right? Is there any way around this?

 

I understand that I need to add a DKIM record for sharepointonline.com to my domain but I'm just using the default mytenant.onmicrosoft domain. I'm not using a custom domain. Surely Microsoft should have configured this already?

 

Thanks for any help.

Related Conversations