Ignoring SPF & DMARC failures

Brass Contributor

One or our external website pages is used to submit content and leverages SendMail to route to internal team members.   


We use the submitter's email address as the from address, and not surprisingly some emails are failing SPF/DMARC as their domain have not specified that our site's IP is on their list of senders.   


I want to make sure that these messages are not considers spam/phishing etc when they are evaluated coming into our environment - what is the best way to do that?




3 Replies

Apart from adjusting the SPF record you mean? You can whitelist the sending IPs, which I imagine might be a lot (or might change in the future). Or you can create a transport rule based on some other criteria that helps you identify those messages, and set the action to bypass spam filtering.

@Vasil Michev - I can't update the SPF list - as it's each domain's SPF record that would have to be adjusted - .e.g if someone from Microsoft submits something, the Microsoft SPF record would have to allow sending from my IP address.   


I should have mentioned that I do already have a transport rule that sets the SCL level of any message sent to the shared email address to -1.   


Is there anything else that I can do to ensure deliver even if the SPF/DMARC checks fail?   Will a SCL of -1 ensure that all email is delivered in this situation?



That rule should be sufficient, as long as it actually captures all messages sent this way.