Forum Discussion

Robert Woods's avatar
Robert Woods
Steel Contributor
Jul 11, 2018

Spoofed email from @micrsoft.com landed in my VP's inbox.

Spoofed email from @micrsoft.com landed in my VP's inbox. How? Headers indicate dmarc failure, but Microsoft's Reject Policy was not respected by their own servers, then the mail was delivered directly to the inbox. He had an aneurysm. 

 

Headers below if anyone cares to help me figure out why it did not get rejected per Microsoft's DMARC Policy. 

 

 

Received: from DM5PR04MB0954.namprd04.prod.outlook.com (2603:10b6:910:4f::15)
by CY4PR04MB0952.namprd04.prod.outlook.com with HTTPS via
CY4PR04CA0050.NAMPRD04.PROD.OUTLOOK.COM; Tue, 10 Jul 2018 17:42:15 +0000
Received: from SN4PR0401CA0040.namprd04.prod.outlook.com
(2603:10b6:803:2a::26) by DM5PR04MB0954.namprd04.prod.outlook.com
(2603:10b6:4:43::30) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.20; Tue, 10 Jul
2018 17:42:13 +0000
Received: from SN1NAM01FT051.eop-nam01.prod.protection.outlook.com
(2a01:111:f400:7e40::207) by SN4PR0401CA0040.outlook.office365.com
(2603:10b6:803:2a::26) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.19 via Frontend
Transport; Tue, 10 Jul 2018 17:42:13 +0000
Authentication-Results: spf=pass (sender IP is 209.85.223.226)
smtp.mailfrom=kippahi.com; pepsicenter.com; dkim=none (message not signed)
header.d=none;pepsicenter.com; dmarc=fail action=oreject
header.from=microsoft.com;compauth=fail reason=000
Received-SPF: Pass (protection.outlook.com: domain of kippahi.com designates
209.85.223.226 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.223.226; helo=mail-io0-f226.google.com;
Received: from mail-io0-f226.google.com (209.85.223.226) by
SN1NAM01FT051.mail.protection.outlook.com (10.152.64.150) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.906.15 via Frontend Transport; Tue, 10 Jul 2018 17:42:13 +0000
Received: by mail-io0-f226.google.com with SMTP id v26-v6so21140229iog.5
for <redacted@pepsicenter.com>; Tue, 10 Jul 2018 10:42:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:date:to:from:subject:message-id:mime-version;
bh=LjzPhte3jTTasd9s0b5g+RnDnb8FSrwPVw6nM2MoQ6Y=;
b=RQ2tRp9xXruud5Zvq5fOa9AhtPIZLW1Xy/7y0yRcRKo4pIHmkDk+BFnhfTnlslUEz7
JQJHL/5q2cRXeA1wUrZe5xsevqt+zRPrY2WvYGqCJrPejdIBHHsqL0ZP35UIZhtDEFfT
Whah9JGxloKvMbTyxYr18/Zwnex4egeETvu1rzh1LKwubqmz12Fch4pIveqFo+cEJRwm
vRxsy7nzD+/r5iC1eaoP/1bRv8afPdedS+pv9guneaZO/yIdEECVMJLxKKth0xAJbkMS
7yVMRfZBLLnT2EWvPa0N0shb8tSOPQbxAVZBK0gnGEFBxSsvrvJfYoEuUNG57a/+7oXp
O04w==
X-Gm-Message-State: AOUpUlENU4Bpn17a24pZlrvjEdDqPI+cPrTF33uUE4IeTkScTXjWeZWj
XDabCdCWbSWOV+zcO0SmAlm6fCeMMGz8kHGjt5hinCep3Rsv
X-Google-Smtp-Source: AAOMgpeedbERs3SiWWTUmYdeOsLwl8S1Y2hp+vZuYQnuPDzEt251Et9/ktc6JCU7B9+VM9WFvhNH29E3kR6V
X-Received: by 2002:a6b:a504:: with SMTP id o4-v6mr20289254ioe.95.1531244532626;
Tue, 10 Jul 2018 10:42:12 -0700 (PDT)
Return-Path: postmaster@kippahi.com
Received: from box-codeanywhere ([40.69.186.165])
by smtp-relay.gmail.com with ESMTPS id r192-v6sm5339158ith.7.2018.07.10.10.42.12
for <redacted@pepsicenter.com>
(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Tue, 10 Jul 2018 10:42:12 -0700 (PDT)
X-Relaying-Domain: kippahi.com
Date: Tue, 10 Jul 2018 08:42:12 -0900
To: <redacted@pepsicenter.com>
From: Microsoft Support Team <no-reply.7nul5p0b@microsoft.com>
Subject: We found request on your account on July 10, 2018, 08:42 AM
Message-ID: <1e012453220e87d1b731c5cb36c12c73@box-codeanywhere>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
Content-Type: multipart/alternative;
boundary="b1_1e012453220e87d1b731c5cb36c12c73"
X-MS-Exchange-Organization-ExpirationStartTime: 10 Jul 2018 17:42:13.3597
(UTC)
X-MS-Exchange-Organization-ExpirationStartTimeReason: Original Submit
X-MS-Exchange-Organization-ExpirationInterval: 2:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason: Original Submit
X-MS-Exchange-Organization-Network-Message-Id: f45ae646-b8b4-40a7-eb53-08d5e68c7875
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: ab6ed105-c086-4195-b560-55de99f5b299:0
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-Forefront-Antispam-Report: CIP:209.85.223.226;IPV:NLI;CTRY:US;EFV:NLI;SFV:SPM;SFS:(10001);DIR:INB;SFP:;SCL:5;SRVR:DM5PR04MB0954;H:mail-io0-f226.google.com;FPR:;SPF:None;LANG:en;CAT:SPM;
X-Microsoft-Exchange-Diagnostics: 1;SN1NAM01FT051;1:fOlgEliYVfvCZ5jT9EbSJTNxfL4QdoJD9S/1RbQrbK0RpOXL30+OUnfX4jR4eqibYsB0QpRNKB4Ll6gQ4CDdXJGY8KaCq5zDAyf5wOMXvgaQOHQJMQdMm0Aa87Ha7W2l
X-MS-Exchange-Organization-AuthSource: SN1NAM01FT051.eop-nam01.prod.protection.outlook.com
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f45ae646-b8b4-40a7-eb53-08d5e68c7875
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652040)(5600053)(711020)(4605076)(4612076)(4613076)(4614076)(1401180)(1403068)(71702078);SRVR:DM5PR04MB0954;
X-Microsoft-Exchange-Diagnostics: 1;DM5PR04MB0954;3:VZrNMaHC0/Bbcg+hNLW9MUS1MQ03nAjifoeKwgGOc2BjK4gn3hzBvF/ul5I+/oN3Sf2nlXZOMC7T76LvkzcBgjv6atL+4Zl8U36qWgKYQxe8/McFPJ1CggeI59J/xtf4xThh37Ue1uzSyGnRU1SVlZruZdQqaZnZccuTnVv40De1Wq1Dcm3CXe8TDB4DIYBGX7mr1jGxclTnmc4Ov4/8Px+0Zw+YAny8TNA3SnNwKr12K/Nmy5INJVWGCiEoeLJy2a1X8CZhfyHS/KPPT81p5NSz3/hLF0IGVNzngGzprHuuxKC1rXJiLDu21/hwWrcxczNPS5g1tHSziS2eKBxxHWdB7j3rD1wi+IGN/YYbJRY=;25:/SCy5+pw1KLoLPXhCqlfZ1PTXhLZEERU3DesuEnOksZal4yQhkUt69xfvQUTAhETT+ybuOLdaYEgYxqhq30ASiSs4dePYXiQVgCWviEKecyqghSuAuQduY8vnJuwJ9uBDUJ592w9k/L/5a14+F+txE4+aZ9GXprOeT528Tq0uAVLmTvAXdDOMjFN3BqvRnL4G/i8htOIiL3Yrv7YbbAm8oPTefwwXcZ3KPqxZrU3F1f7Y9fieBhLz5XdupCDf/fm//ozUJTBv7Hu93J/WThslN9DkvJUMCjWK5m/VTUJ1zRrxd5JnoWWg/A0QyE/TPMP/Uq9dCgdrXqL9bZ7meLUtw==
X-MS-TrafficTypeDiagnostic: DM5PR04MB0954:
X-MS-Exchange-AtpMessageProperties: sap=1;slp=1;
X-Microsoft-Exchange-Diagnostics: 1;DM5PR04MB0954;31:C+p3OLIi17Apzd7Hp5OskZrmwr2qHvEfgC8lliR5KqwRKNztmKp5MOsPIzHlCzeNCjraRnckFUDthwDMNoVv11XaK4tuWCkvKrOiuU26mlY7wHWLqh35JkPk8j7fhuw1vyr+Xxqn8N26UdKxd5Wfce8PBwiXKVmUIOnrcTb5ugFEtO1XVW+HB2zV0T8WKZKR41ceHoCHSehm+Q8ByJVvl4NahcdZiIgVHdq5M+vRD4Q=;20:2RDuWZ82Ef7VKCrQt9px5s3qGDW350VermvzBCZtI8+yONuIyelylc3DnmuhlMG6/ArJ0ZzxfkZBf7Gzw8ht3cbLwaFv+ZtLFtu9eUQyP+aheU8Y3qe8pvGiIWRwCmj+1gmgh3M4fWKZcV/5v2Kodn949wggviVBATj9aWoP1+GReqLy5sjQmpLT17B+JFuCa3X21fqOw41r9ZbyNs90CoJH2cRRb0rdzlQt16J20Lel/L/urVvhoWgrGDLqtaSkl8aXRox8J/dceCQvYXKmsIdgVGJkso2r6erfFUJRqkfD1YL7Ouhtc+JUJxCSUPyYRMtNdsMZEN2QvQCw/DgaO6f5rVnLLAW+m7KUA21HpJMsQyxxyiwqZ2H8AFhd+gPrqoVdPByMiNcEaRdktMmtsHcVodEA33vyt1ZJXoeLocaIY12iW37MTkjmjD43TmDVdV4YVLvycCkoG+mt6k2DMN1JmGM0Xnf3xC3XB73+Pu0Hc5O4M02LmNC06PjvxNMP
X-MS-Exchange-AntiPhishPolicyId: KSE Anti Spoof
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: =?us-ascii?Q?BCL:0;PCL:0;RULEID:(8211001083)(2018021200122)(2018011200283?=
=?us-ascii?Q?)(2401047)(8121501046)(2018021201122)(2018011210174)(2018011?=
=?us-ascii?Q?211064)(2018011212028)(2018011213028)(2018011214028)(2018011?=
=?us-ascii?Q?215028)(2018011216028)(2018011217028)(2018011218028)(2018011?=
=?us-ascii?Q?219092)(2018011220252)(2018011221063)(2018011222027)(2018011?=
=?us-ascii?Q?223027)(2018011224027)(2018011225035)(2018011229035)(2018011?=
=?us-ascii?Q?232269)(2018011233052)(2018021202149)(98810176)(98801176)(20?=
=?us-ascii?Q?18021203149)(98815176)(98812176)(2018021210149)(201801124027?=
=?us-ascii?Q?9)(1430482)(1431068)(1432130)(1440212)(1552081)(1560030)(155?=
=?us-ascii?Q?7028)(823300264)(823350442)(823411253)(9101536074)(102015010?=
=?us-ascii?Q?46)(3231311)(901025)(902075)(913088)(7045084)(944500087)(944?=
=?us-ascii?Q?503075)(9300000150)(9301002111)(52103095)(52102095)(11171617?=
=?us-ascii?Q?1)(52104123)(52105095)(52106170)(52401190)(52601095)(5260609?=
=?us-ascii?Q?5)(52505095)(52406095)(52403095)(52301095)(52204095)(1102011?=
=?us-ascii?Q?)(93006095)(93004095)(88839001)(88838384)(88841344)(88835096?=
=?us-ascii?Q?)(3002001)(1610001)(8301001075)(8301002168)(8301003183)(8876?=
=?us-ascii?Q?6976)(88801398)(98821027)(98822027)(88860193)(88861208)(8838?=
=?us-ascii?Q?0075)(88381075)(88382106)(2018021211149)(2018011241182)(2018?=
=?us-ascii?Q?020102067)(2018021213027)(201708071742011)(7699016)(76990205?=
=?us-ascii?Q?)(7701012);SRVR:DM5PR04MB0954;BCL:0;PCL:0;RULEID:;SRVR:DM5PR?=
=?us-ascii?Q?04MB0954;?=
X-Microsoft-Exchange-Diagnostics: 1;DM5PR04MB0954;4:bCXgVALM2wk6t5ObIkSGslfyDZ+FjXU0aFnkI6rvEQn+wDUAfkx1uT75tT/OpKDOb/MNe+pyymJEEKlG6aogXKXOS4rq+XHejeB0tbPgmTayGiMEc5IEhdX4byYONDiKGaw2jRmS7Ct8cFuJwp+zyXEY5/0d44hWpxUN5ZxF0XBmB69zN0vbX79k5J+0gVUWC1tEiyZFC88McOirbB1HCbgBKpLq8/I5ifkYObbHJNEM5TWnr074ghD3I7jb8ItVhMSmENw2yiR1qphEnEBIEg==;23:YAwZkQ7D1HjA5Ct+64PM7wuBk0xHgUfBmeapAbxM5s2kEmCDvo+elIfPuNZNxGli8VqSSqilYn/XgAX0tQYkP6kSh9b5EvjxGygX/LO/ba3DWaL1cJHnnjwkEJJJ5U5vfGOdua6gg6MDEg4Ez9U4edRFF4aL2j8M9lN+J2GDlhly+HFw0LjyIXOGGO2rvzI/2qWc4y8hp7vEahqlsnQoLw==
X-MS-Exchange-Organization-SCL: 5
X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?YXRs3La/gxgdzKew4r2d58mCX0AKdP1R1AiH4GHmr//z28i/42opq7BYKW3q?=
=?us-ascii?Q?TBFYJNFizYoAGXjrZX91+KUfa29dT+7eAHlywqc4mre0JL/7cGaZaqiOvgFp?=
=?us-ascii?Q?emS4p+r0/O0rHPW9cg58LcxxIO8G+cRBkz5LaDPxmlEWmubxc002Cv17Dzjt?=
=?us-ascii?Q?VBr9KmPeF4VySbv2AJFJzZiLq1Vkakt0mrWPmhWQsbgDZ6winEyBybFSQqn7?=
=?us-ascii?Q?20/pdGxOPgKneHthzWoMIiaYPi26R5iHBZaT8xoztmqlS/7Yjydq2qC2AT9a?=
=?us-ascii?Q?2tMBSRcA/3RLs6YPyw1c5SQ0ioEiM07w4BEV+AmJw+J0TQC2tf3CNJ+XZ7hx?=
=?us-ascii?Q?G2DZLu4brNMhclTEKu0TjeduBBmwV2QquNqoKb58+quTZ83uajAotj/sf2UG?=
=?us-ascii?Q?oxwsKk+DmDV0mJMC6ScrJMnpRZEKubbcoNuQ82Rn9KCHgomfhcV6QZ0oMCdq?=
=?us-ascii?Q?DsjW+bxHaJLIvgebjoc4nWzlJ/q35BbV/Enkd6Qd9/KEO/ikEdYxZ12Hj+yp?=
=?us-ascii?Q?NJTFHg9A3ZFGNKr30MRPVNZOF7TQn1DAKZKLRQaR96XBYZNWh7uFN7wNMKOK?=
=?us-ascii?Q?RdUuWCSXHQzme8XF2oFolNHCwVaHb1BSKvczUcig6WRavFdM17izkzRDUQZ4?=
=?us-ascii?Q?VAGAu5VDPpkBWmTJGhnj3W5h7YwvyARCqoinM79fv0UDNn+FGjDKR5RKIK80?=
=?us-ascii?Q?gz47otFKFIMN6xDPBRb13tWPvrgDh1uXCvoQDkOkNkgUt4SY6ERlAetKCDHT?=
=?us-ascii?Q?X2oiqu6my28uyeBT7rf0D85ba88iHrzm42V6hEjhkFdVvYx6Oh1eALEw9Egl?=
=?us-ascii?Q?wHHEnGTEEFUcV53DSoEX+985dgxn9kEa3KqBtkfGeAckLOhlbURUbx6oRWXr?=
=?us-ascii?Q?hyqvcx4RAFI3j+73H5rsBDjUYMngTdYDmSEHnet5BKz7kj0dEgx1ABPnwjkR?=
=?us-ascii?Q?EZzPcVmdD8Ft/nD2VMa1WI7XWexdQdUID76DGoW08Xg7A3vNNHoJrUT1Zqp8?=
=?us-ascii?Q?OusuRT+XW0avnTTB7yLz/i7O/WS4uVXAWyt2iv8inqGgSe5jwEFiLwXDpqT3?=
=?us-ascii?Q?hhRt7YAHOe9lSiJ9Fyw4b9xwNhp8tk82GjHxU2m8IlZGQzTe8Q1GvIbQZLpq?=
=?us-ascii?Q?bt1HRF11NfK1tBuQ5Iytl7oF/4D6lUrp3937FPzntCAsyhMPRCy6hIUcoazD?=
=?us-ascii?Q?Qhpx/119XzEjOuNNnTjBkK06ZZJ2KQmRE7Jug2ZCaYVbSfVErJDrtgYUteRE?=
=?us-ascii?Q?Spo4ujQz+MfxNXeDO1vN7TwRIKZEabRhsymLgLBz2rKZeGkiFs1ghoaKcKnr?=
=?us-ascii?Q?BdpLIbQjRWGbgwUHo3U/UbMbnCPnyKnuoAgHxgiJmfaeBlczSZnqQ3aWHDRJ?=
=?us-ascii?Q?JpQtHStmeH26Y4ndWm6+tFRqRFOr7eV/zovcryhV5iQpphscnomOGFFk85qn?=
=?us-ascii?Q?bwfyYdLglDFsTU0ttY+Qph7gxUnb7AJlzo7onV5GwwPoeDVIVrEjGGlPbFWi?=
=?us-ascii?Q?glNcP0bRZjTt2a6njrJS6SMapqWjqvTlSTwTJ/dEIUd1K+R+Zdn5XbSUIQ1o?=
=?us-ascii?Q?MQMUTxRUCKPq4Vy29tyJAtW8k43Fvsn0/HsSy4Fntufgcdmskk8rUAWEffAR?=
=?us-ascii?Q?lVd7mpXEES6aUvFqJ/iV+Gs7kWC8VXIhODq+HEsl+41rbpardkdxl5ibZD7A?=
=?us-ascii?Q?na67Y0DDTO7o7O8rqwH5jD7kfMx0LVKnltKT3bms0pZb5Fc4GSwYQRWqYK3f?=
=?us-ascii?Q?LHGqOpvHWA=3D=3D?=
X-Microsoft-Exchange-Diagnostics: 1;DM5PR04MB0954;6:7BsXd6FCZ+6ETVOxdz2JjROKVhWBXN8Xtmu5ey8UTBjRB0T9kzPODgDe3xhCg/lYaSrMUbZiVvrRmaL73McWmAy7gkC3/1g8xm1gAHulKQorriGRZj6E9n7qGk932xgN8AQRDDYz0rlEd5NLuMMGaAKetFMDRzuA3vObJZLa2GVCG67HfL93vrXjOQjeoCeBu4lu1F0KH0XE1hI13GaAgw+1BhdDs95nHF+40mUL6jNkvQAy3rJXstXH13gBBNShoCt1pg5Y05afbBkaFaySOv3itfa6t/MuTcwJw49LVlEogQcVSMoGlpWnTzLM5+ijr67yWLQACegUBgen6Pefic7KUU4kfbqKrMUwvDrODCIytfaMw8vAb9e5X49A1XtJ+AEQsJvVbijUB8fJ49ykSIHogVrpcW2oYQRdDTkmhpy7Q/FVjt8McMYPFOOGJ5kjxPYJ5d5IFnEu/FIGHI3kowEjkC8u8wlKyPullUCgCnKyl9PVoORiJsaQtXhrJECm;5:oStqLP04wePddQfFLyyzLtNniuNRDYKQrkTKDGmZ61ZruDqcad2JomkqiwoRR0lg1JQtksHkvIrEhGRur4p2ReGySlAj8fsKfZP7Tj/Xy5aiMBfKRPhWtmuWiRf/Li7j49eDqH1JgiexTYH2JGHaZGIzy6Oij7trx4oKMi4rwNg=;24:F19yLepqDJtW1Qq/2bKSvxfq2/O+Gs/gQQtGqUjMP0kwUwFLejVqorGowR8E9ceIu+NLKey0qYgQsV0b41CQHw==
X-MS-Exchange-Safelinks-Url-KeyVer: 1
SpamDiagnosticOutput: 1:13
SpamDiagnosticMetadata: Default
X-MS-Exchange-ATPSafeLinks-BitVector: 100:0x0|0x100;
X-Microsoft-Exchange-Diagnostics: 1;DM5PR04MB0954;7:yh5RkZFLPhJ9Y23o1u9LFLcYdUaJddoAeKaty5wGhzns9Czl4xeq7hGO3z86cuulTZiAZDPJWB71RwJrJU72iHFsNs6m9p3LM7g+f3zBDpCNJz8Tz8cFcoek/ATpcKxgq6Sd+FPRiH7qojW4z06ACcDE6vHYjwSBoR3wcbVB84iyxw9GC/SkHbGgR7h8K0cvGx7T2q8C1Od5uSQtsZNDwHFId5hq9OAyeGuFs5tPJyu0iBwPQFHCUFGVLqKL51/0oewYuTC128DxzVxcFWiGGP6leC4EtWJCNpBhw2XVR3g=
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jul 2018 17:42:13.0784
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f45ae646-b8b4-40a7-eb53-08d5e68c7875
X-MS-Exchange-CrossTenant-Id: ab6ed105-c086-4195-b560-55de99f5b299
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR04MB0954
X-MS-Exchange-Transport-EndToEndLatency: 00:00:02.3927153
X-MS-Exchange-Processed-By-BccFoldering: 15.20.0930.000
Importance: high
X-Priority: 1
X-Microsoft-Exchange-Diagnostics:
1;CY4PR04MB0952;27:BX2ZVUWniK14HIs0aJBI8yAI4pZGw2fPq0J5KY0OFsrvVNkseRZFFBm4UaBLOEmEp5E64mn247d/Vf9cTrh3/w6IPBIvJorsEsH7p5slBOEPO1ysWL4i0vzFLw6n69f6k4IkHyXGRAcorrKnJgf1UdSNkNBTpy96e3jkzgpECaTrJOZnkmars0NnFuxN3G3TfsGjjNKovmX0ZiTV+4BRYZ7X+2t8QzyP66y3hEwU/28PsrTJpLf+0pEzeWPrK1QO1IaneP3C9a/uGgTiYabeDNuRMyUYFvz1ic7TPvsnZPLw6cwZk2bv/zay1IUUamogaFGcyalQtOfnhvIpHbm+LSqD3qrqWx1YYBA2PZOY5e14/gErp3gYjCm/vnM7jj95ZWjken7Yu9cRVKi9QHWlWRk7x4FzE3ecaIUNai390xAtBIMmddwsSI1t7Rrzn7AII+HTgY2i1UO5uMkkTZ79JQ==
X-Microsoft-Antispam-Mailbox-Delivery:
dwl:1;ucf:0;jmr:0;ex:0;auth:0;dest:I;ENG:(20160513016)(750119)(520011016)(520008050)(702028)(944506220)(944626516);
X-Microsoft-Antispam-Message-Info:
=?utf-8?B?Y2tOVmVWemIvMjVsVGV4c2hlb1hyYTh1cEI2b1JJRkowYmpCanFTNzNLck5P?=
=?utf-8?B?QW1VUW1iMUJxcmtQSW1OZzhHc2dTQk5YakppNTNjeDZJOFpBTy96NVBZRmxU?=
=?utf-8?B?RVBDallWMDlTRHNmUG9mYUVCM1llOVh3UXJRTHA3Y2lBbWVSTlVWWlNQZGc0?=
=?utf-8?B?QnhIUVEwNHE3RGxPRmd1Z0o3TjhLUlNTUmI3SzhkaW8zQnUyam1vQU1YNXor?=
=?utf-8?B?MU1XQzlhbXZrSUVYVUpOZ0dkQ1ZuYnhONytNRC9aYkhnelNGQnUrZlRYS1oy?=
=?utf-8?B?Ti9CNlArbi9mNlpwTlFOZXZ5VHBTMmJDZ2YxYmFLS2pjMWlCYlVQZFM3eUJ0?=
=?utf-8?B?MnBRMVRoUjljRklWVkEzK0JvMDgzOWlaU3YxSHpoSDY5cHVRYlBvd3phMVJy?=
=?utf-8?B?dWsyV29rRnFQVGhBUGhPUUVJbUFuNlhDMHgreVA4cis3VDE2Q2hVTHV5cE54?=
=?utf-8?B?eWExMXVQYVU0UkQyVkVpL1FRR2N0QmpMcGNwWWh1c1hUZ0ZPNG1hd0hGd1ps?=
=?utf-8?B?SzRjUUVTMmNKVXcwSndlSGhUSUxpQkZBREx4cUJkcjNtRDd5OWZrVllJSHBx?=
=?utf-8?B?TmtpTGNJUzErUml1RzdnWTVMdFFBWkdRMU1XaG00SHYvQm5mODN3dTM2Yy9T?=
=?utf-8?B?elQrMTc5UmthQW4weXNsOEFEZG1PQ0tzNW1yWDJNVEVISk1wNHdLYUdVRWhZ?=
=?utf-8?B?WktOV3VhdmJxbHI3TllGNXpKT1ZFdzhTVzhYSGdZVzhGZjhZMWlTeWdJcnBt?=
=?utf-8?B?TnBMdGxxRzJGRTFmQTVVdDdyNStieVRqbGNXNzVJN09BU3daMUxwWWVJdnBE?=
=?utf-8?B?OGhQZ1RSalBPWDF6YWxaZVFadGIyZWVGR1ZaWlZCeFJFc3VLZkFlcHBlcHcv?=
=?utf-8?B?TGYxRUJhaGp2Wk1LSnZzYnlaZ3dEWFd0dDJUQTNVR2hvMGpicEN1aWVFNFV3?=
=?utf-8?B?UHg4OXlJYjNmR21CMVB4WHF0aU1Ocm04aFd1Mk1sSDZ5SFVlYkVjcXh4NHJa?=
=?utf-8?B?aUNaOEsvOWlOeFIydE1JNXpja0VDeWlSdyt1VmEzWFcreWJqVGlrS1ZUQ2M2?=
=?utf-8?B?bm50K0V5YlBvT0tBTGttTUVNZHNqdXR1bWdmY1JGMmNadzNudHFiZ25Dd1kr?=
=?utf-8?B?M2VuMUY3UWx1NlRNZ3RaYWhJTDVJTnNyRDZxMmdxMi9YVWpxVjFzc1A5NFFr?=
=?utf-8?B?bExvKzdpNFFnY0s5dHBlVmovbGJjOUFMM2h3bFFBd1ZkdEU3QjZOVWsxZldU?=
=?utf-8?B?ZXJ4Tzl3U0E4WGhNRlFsdkFNazVSNGgrRnIrVUlHdEpybHVGOVhKejdzeGlz?=
=?utf-8?B?YitvcXpxdTF4N2VIVEhabXA5RFdqUWNncWVwTC9NT1NnQ0U0R3NyK2N6Zjhn?=
=?utf-8?B?SXhheE1RMm1rYnpid0NkcTZLZEtWanFjOUpLMWJoT3hTUnN4aVI3ck9xOHp4?=
=?utf-8?B?MC9iZjBRZkFlYXZOOHBydEYrV2Y0eENQeEIzeDhWeTRwaUhDVTlBbEk5LzRv?=
=?utf-8?B?SmlFWWt2TWF0cUVjQytacUFtbGtDWDVwRGZCUEFXUGUyNktCdWd0NHh0eHpF?=
=?utf-8?B?S3RUcG9XRDF6RjBBN2RzaytHTzZrTFRuMUpCZDN0ZTRoZngyR1NPVlpqWTBX?=
=?utf-8?B?U2ptVUcvQ1JBTU5tTWlKaXozbHZYSjltOTNLN0VXcTE1QkN6amliQlZWK3ZG?=
=?utf-8?B?OGdaUlhxOVE0TVcvY3FQM0lBRlI1N01rcXZKVldzMmo5N1Rsa1YyNERabjFE?=
=?utf-8?B?OFVUUHZtTkp2eDdiMVZONUdiRHVuaFNSWDNyYzh1VjBvMEh5V1JBRFJhS1NB?=
=?utf-8?B?OGhhUzNqQ05haXhUaU9nTWord0JWQVorZnYrbCsxbWpGa2d0OXhMV2lHM0Yr?=
=?utf-8?B?MjlCQnoxL1l6akRyWnZPQWdTMndIRjBvV3hkRkVZdWZCblFad0hiNHcxTE5x?=
=?utf-8?B?UkxWM1ZoMWs0TUdXdldSd2NvSEtXZENWRUVGdS9KV0V4VEs4NFFoN20zZWVN?=
=?utf-8?B?U0dUQ09zL21qK2xVMkdicG4vVWN5SkpVbllwS3RaektUTjZydGZicUxSaE9C?=
=?utf-8?B?RTdKZEJOYmxuUXpuZWdoTGFIWlgxcFJpZzlsLytXSk14akJPWG5MU0YrTXk3?=
=?utf-8?B?bGdpTTh5OFNJZ0Q3UWhiSUNYREZYby9XS3N0L1Q0VzdPdmZuMmc5cHlFdm5G?=
=?utf-8?B?cXllT3l3UWV2eEQ5YmxmQmlEUHBtbWNXUVFLYWk3NXM4d0JLY3A1WStnZVlk?=
=?utf-8?B?SVhxLzRQbDc1QXNBKzVaaDJOZTN4eGd5Z1ZrSGxHVGN5dFJmcEg3RnhaRFZa?=
=?utf-8?B?T01EQmVXRDlVdDMzTnlLVEFwU2tGM01BR1h6WjF6UE9UUENBcUFvQT09?=
MIME-Version: 1.0

 

  • Sounds like you're expecting the DMARC reject to result in an outright rejection of the message.

     

    From that header info, the message was marked as SCL 5 (spam).

     

    Per this article:

     

    Currently, for all customers of Office 365 – ATP and non-ATP - messages that fail DMARC with a policy of reject or quarantine are marked as spam and usually take the high confidence spam action, or sometimes the regular spam action (depending on whether other spam rules first identify it as spam). Intra-org spoof detections take the regular spam action. This behavior does not need to be enabled, nor can it be disabled.

     

    So, outright rejection is never the outcome. This makes sense from the perspective that Microsoft would not want to be discarding (losing) email from senders who have made a mistake with their DMARC records, and also because of the impact it would have on things like forwarding and mailing lists. But, the header info is written there for customers (you) to make more aggressive filtering decisions using mail flow rules if you wish.

     

    The question is then why an SCL 5 mail made it to the user's inbox. That could be due to the spam filter policy that has been configured for that user, or as Support has suggested to you, a hidden mailbox rule. So keep investigating that angle.

    • Robert Woods's avatar
      Robert Woods
      Steel Contributor
      Thank you for the information Sir. I was definitely under the Impression that a Reject policy would result in mail being dropped if non compliant with the policy. So, in all actuality, is there a difference in what happens with Reject Vs. Quarantine? Seems both policies would just result with mail being delivered to Junk.
      • Paul Cunningham's avatar
        Paul Cunningham
        Steel Contributor

        Correct. Office 365 currently treats them the same, according to that doc I linked to.

  • Robert Woods's avatar
    Robert Woods
    Steel Contributor

    Support says they see a rule that may be causing the issue in the Mailbox that I can not see when viewing the rules online. They want me to use MFCMAPI tomorrow to try to locate the rule and remove it. They are not sure this is the root cause but they want to try it anyway. They state it is a rule called Junk Email Rule, with no actions associated with it. 

     

    Not sure why this would apply, because DMARC failures for Micrsoft.com should result in a straight up reject from the server at time of delivery according to their published policy.

     

    https://mxtoolbox.com/SuperTool.aspx?action=dmarc%3amicrosoft.com&run=toolpage 

     

    v=DMARC1; p=reject; pct=100; rua=mailto:d@rua.agari.com; ruf=mailto:d@ruf.agari.com; fo=1
    Tag TagValue Name Description
    vDMARC1VersionIdentifies the record retrieved as a DMARC record. It must be the first tag in the list.
    prejectPolicyPolicy to apply to email that fails the DMARC test. TagValue can be 'none', 'quarantine', or 'reject'.
    pct100PercentageThe percentage tag tells receivers to only apply policy against email that fails the DMARC check X amount of the time.
    ruamailto:d@rua.agari.comReceiversList of URIs for receivers to send XML feedback to. URIs are required to be added in the format of 'mailto:address@example.com'.
    rufmailto:d@ruf.agari.comForensic ReceiversList of URIs for receivers to send Forensic reports to. URIs are required to be added in the format of 'mailto:address@example.com'.
    fo1Forensic ReportingForensic reporting options. The value of this tag is a colon-separated list of characters. Possible values: (0) to generate reports if all underlying authentication mechanisms fail to produce a DMARC pass result, (1) to generate reports if any mechanisms fail, (d) to generate report if DKIM signature failed to verify, (s) if SPF failed. If no ruf tag is specified, this tag will be ignored.

Resources