Motivation

We send emails programatically to communicate with our users. At times users says “I did not receive the email and checked all folders including spam/trash”. But when we check applicaiton log and exchange server log the mail is actually passed through. We wonder what happen after.

Also on the other side, we are missing mails which supposed to be delivered to us. Either it is blocked by any intermediate components (ISP, Firewall, Security Scan, Spam filter) or it is landed somewhere else than the focused inbox.

One thing common about both the scenario is “Both are true”. Computer systems behaves the way it is configured to work. Just our lack of knowledge in the configuration, communicating the expected behaviour and its purpose makes the end users to scratch their head.

In this article, I am documenting my learnings which gives basic knowledge to debug and implement better email sending and applying security policies.

Points

  • DMARC stands for “Domain-based Message Authentication, Reporting & Conformance” - Makes easy to get context.
  • DMARC settings protect your domain so unwanted parties send email which looks like it is coming from your doamin.
  • More companies adopting to use DMARC to avoid spams and someone misusing their domain.
  • Domains regiter the DMARC TXT record to get notification when their domain misused.
  • Receiving exchange servers inspect incoming email and when it suspects it reports to the domain owners based on the DMARC record.

Possible reason for email not getting delivered.

EMail receiver company implemented DMARC policy based email scanning solution, the incoming email will go through the scanning solution. It will review the email and the sender domain DMARC record. The sender domain may demand to reject the email when the email is not meeting DMARC policy, receviver security system may in place to honors that. Also the sender domain provides way (email address) to receive the report.

DMARC is mainly to avoid spaming and avoid misusing the domain. It utilizes other validation mechanism from SPF and DKIM (which I consider outside of this scope.)

Here is the header added by exchange server with signatures

Authentication-Results: spf=pass (sender IP is 209.85.216.50)
 smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
 header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass
 reason=100

Resources:

  • https://sendgrid.com/blog/what-is-dmarc/
  • https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains
  • https://dmarc.org/
  • https://www.learndmarc.com/
  • https://practical365.com/how-to-read-email-message-headers/
  • https://testconnectivity.microsoft.com/tests/OutboundSMTP/input