> Failure reporting seems odd (because it's always legitimate) > until you recall that part of the purpose of failure reporting > is to discover errors by the domain registrant, particularly > including errors in the DNS zone file, which may or may not > be under Office 365 control
If Office 365 isn’t doing any DNS checks for SPF, DKIM, and DMARC for internal email, then how would a DMARC report help with any of that? > Aggregate reporting likewise seems like something that would > make sense for inter-tenant communication Inter-tenant communication is treated the same (more or less) as an inbound message that originates from outside the service, so any DMARC reports that are sent would not different between tenant-to-tenant mail vs. outside-to-Office365 mail. > Does Office 365 DKIM sign inter-tenant email? Yes. Inter-tenant mail is treated the same for DKIM purposes as Tenant-to-external mail. Our customer guidance is here for DKIM: https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx Our all-up guide for antispoofing (of which SPF, DKIM, and DMARC play a part) is here: http://aka.ms/LearnAboutSpoofing. --Terry From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> On Behalf Of Roland Turner via dmarc-discuss Sent: Sunday, April 22, 2018 11:00 PM To: dmarc-discuss@dmarc.org Subject: [EXTERNAL] Re: [dmarc-discuss] Mimecast and Office 365 DMARC checking within a service provider doesn't make much sense, however DMARC reporting probably would when/if you implement it: * Failure reporting seems odd (because it's always legitimate) until you recall that part of the purpose of failure reporting is to discover errors by the domain registrant, particularly including errors in the DNS zone file, which may or may not be under Office 365 control. * Aggregate reporting likewise seems like something that would make sense for inter-tenant communication. Related question: does Office 365 DKIM sign inter-tenant email? (This would not be terribly important for end delivery at the addressed tenant, but would be important for messages that were automatically forwarded elsewhere.) - Roland On 23/04/18 12:55, Terry Zink via dmarc-discuss wrote: >> 3. Would O365 do DMARC checks for internal emails ie. >> O365 tenant employee to another O365 tenant employee? >> And would it send DMARC reports in this case? I didn’t see this answered, so answering it now. Office 365 doesn’t do DMARC checks for internal emails since they don’t leave the network perimeter. Since no DMARC check is done, no DMARC report is sent (Office 365 doesn’t send DMARC reports anyway, but if it did, it wouldn’t in this case). There are some advanced reporting capabilities for Advanced Threat Protection customers that can quasi-approximate DMARC reports, and you could use Transport rules in the service to approximate a RUF report. But there’s no official DMARC reporting at this time. --Terry From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org><mailto:dmarc-discuss-boun...@dmarc.org> On Behalf Of Roland Turner via dmarc-discuss Sent: Thursday, April 12, 2018 12:57 AM To: dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> Subject: [EXTERNAL] Re: [dmarc-discuss] Mimecast and Office 365 On 11/04/18 22:07, Ivan Kovachev via dmarc-discuss wrote: Hello guys, I have three questions for you that I am unsure about and hoping that someone at Microsoft will be able to help: First two questions are related to Mimecast acting as inbound security gateway to O365: 1. When Mimecast acts as inbound gateway solution and it receives an email, it does DMARC checks and lets the email through to O365 environment. Even if an email passes DMARC checks at Mimecast and the email is let through, then O365 also seems to also be doing DMARC checks but both SPF and DKIM fail because of the change that Mimecast does. As a results DMARC fails. My questions is, what is the best practice here in this scenario? Is there a way to turn off DMARC checks at O365? Mimecast suggest that it is whitelisted in O365 but that means that all the spam will be let through as well. DMARC checking should only occur at the host referred to be the MX record as SPF is still relevant for at least some email. I believe Office 365 has a trusted inbound relays option (i.e. Office 365 trusts the specified hosts to filter their email) although I can't quickly find it. Mimecast is apparently unwilling to change their service to stop damaging incoming messages that don't breach the policies being enforced (they unconditionally unpack and then repack every message, rather than only those whose contents they have reason to modify). 2. Would O365 send DMARC reports back to the sender in the above case? And, if O365 sends DMARC reports back to the sender then emails will be shown as originating from Mimecast but failing DMARC. Yes and yes if you've not listed Mimecast as a trusted inbound relay. (Assuming that the trusted inbound relays setting is not a figment of my imagination, one would hope that Office 365 would not set feedback in this case.) 3. Would O365 do DMARC checks for internal emails ie. O365 tenant employee to another O365 tenant employee? And would it send DMARC reports in this case? Yes and hopefully yes. - Roland _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dmarc.org%2Fmailman%2Flistinfo%2Fdmarc-discuss&data=02%7C01%7Ctzink%40microsoft.com%7Cbe8603de511d4e9dff5d08d5a8e01fdb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636600602917486752&sdata=D8wfU3BMOViNBJ%2Bun1OfRWi5T1zv2gnYtSia3IO4UDI%3D&reserved=0> NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.dmarc.org%2Fnote_well.html&data=02%7C01%7Ctzink%40microsoft.com%7Cbe8603de511d4e9dff5d08d5a8e01fdb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636600602917496761&sdata=jgMosRZKU5bpz1WLkLabbHPFFK0J7UfIZwPA%2BGvGq4Y%3D&reserved=0>)
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
