On 19/04/18 00:48, Ivan Kovachev via dmarc-discuss wrote:
I found this on Microsoft's website:
"If you have configured your domain's MX records where EOP is not the
first entry, DMARC failures will not be enforced for your domain.
If you're an Office 365 customer, and your domain's primary MX record
does not point to EOP, you will not get the benefits of DMARC. For
example, DMARC won't work if you point the MX record to your
on-premises mail server and then route email to EOP by using a
connector. "
I guess this is why we are currently not seeing any reports being sent
by Office 365 if it has Mimecast in front of it and as part of the MX
record for receiving domain.
This is a neat feature: why require customers to separately configure
trusted relays when they've already voted with their MX records?
Only the perimeter (i.e. MX) system - or set of systems under the same
administrative control - should be enforcing DMARC:
* SPF will always be broken for a downstream system (because it will
see the IP address of the upstream system)
* DKIM will potentially be broken by the upstream system (always in
Mimecast's case)
Reporting is probably a no also, because there's no reason at all for
Microsoft to disclose this information; from the perspective of the
email system the Mimecast->Microsoft transition is an internal step. Are
you looking for such reporting to occur?
- Roland
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)