Sorry for the slow response to the original Mimecast question. I want to set the record straight on what Mimecast does to mail as it flows through us and why.
Firstly, Mimecast does unpack and repack every message. This does sometimes break DKIM signatures especially if they are body based. For most of our customers we have to do this as we are making changes to the message that require it. The reason varies but things like URL rewriting, attachment stripping or conversion require it. The unpack and repack is not unconditional. We have options that allow for it to be disabled (with the side effect that certain features are not available) and we also apply it automatically in some cases but existence or breaking of a DKIM signature is not one of those cases. For the vast majority of our customers this is entirely fine. Mimecast is their gateway so all DMARC checks and signature additions are performed at the Mimecast gateway and the fact that we break signatures is not an issue. If customers are seeing signatures breaking on outbound messages then they need to configure Mimecast to sign outbound for them. I hope that makes sense. I am interested in the use case for the internal message DMARC checks. If someone can clarify why that is useful then I would find that helpful. Simon [ YouTube: http://www.youtube.com/user/mimecast#p/u/15/_523kC3lcNQ] [ Twitter: http://twitter.com/mimecast ] [ Our Blog: http://blog.mimecast.com/ ] Simon Tyler VP of Engineering and Product Research c: +44 7590 735958 p: +44 207 847 8700 http://www.mimecast.com Johannesburg Map GPS: 26' 05.940" S, 18o 28' 04.278" E (http://maps.google.com/maps/ms?hl=en&ie=UTF8&msa=0&msid=104153695170153523925.000469102c74a808b138c≪=-26.099685,28.069403&spn=0.011986,0.026178&z=16) Cape Town Map GPS: 33o 56.068" S, 18o 28.320" E (http://maps.google.com/maps/ms?source=s_q&hl=en≥ocode=&mrt=all&ie=UTF8&g=Fir+Street,+Observatory,Cape+Town&msa=0≪=-33.934753,18.4721&spn=0.00413,0.009656&z=17&msid=100887237870528382628.00046a80a3916c933dad3) ==================================================================================================================================================================== Disclaimer This email, sent at 09:09:06 on 2018-04-25 from sty...@mimecast.com to dmarc-discuss@dmarc.org has been scanned for viruses and malware by Mimecast, an innovator in software as a service (SaaS) for business. 's email continuity, security, archiving and compliancy is managed by Mimecast's unified email management platform. To find out more, email i...@mimecast.co.za or request a demo. Mimecast SA (Pty) Ltd is a registered company within the Republic of South Africa, company registration number: 2004/000965/07 VAT No. 4650210547 From: dmarc-discuss <dmarc-discuss-boun...@dmarc.org> on behalf of Roland Turner via dmarc-discuss <dmarc-discuss@dmarc.org> Reply-To: Roland Turner <rol...@rolandturner.com> Date: Thursday, 12 April 2018 at 09:07 To: "dmarc-discuss@dmarc.org" <dmarc-discuss@dmarc.org> Subject: Re: [dmarc-discuss] Mimecast and Office 365 On 11/04/18 22:07, Ivan Kovachev via dmarc-discuss wrote: Hello guys, I have three questions for you that I am unsure about and hoping that someone at Microsoft will be able to help: First two questions are related to Mimecast acting as inbound security gateway to O365: 1. When Mimecast acts as inbound gateway solution and it receives an email, it does DMARC checks and lets the email through to O365 environment. Even if an email passes DMARC checks at Mimecast and the email is let through, then O365 also seems to also be doing DMARC checks but both SPF and DKIM fail because of the change that Mimecast does. As a results DMARC fails. My questions is, what is the best practice here in this scenario? Is there a way to turn off DMARC checks at O365? Mimecast suggest that it is whitelisted in O365 but that means that all the spam will be let through as well. DMARC checking should only occur at the host referred to be the MX record as SPF is still relevant for at least some email. I believe Office 365 has a trusted inbound relays option (i.e. Office 365 trusts the specified hosts to filter their email) although I can't quickly find it. Mimecast is apparently unwilling to change their service to stop damaging incoming messages that don't breach the policies being enforced (they unconditionally unpack and then repack every message, rather than only those whose contents they have reason to modify). 2. Would O365 send DMARC reports back to the sender in the above case? And, if O365 sends DMARC reports back to the sender then emails will be shown as originating from Mimecast but failing DMARC. Yes and yes if you've not listed Mimecast as a trusted inbound relay. (Assuming that the trusted inbound relays setting is not a figment of my imagination, one would hope that Office 365 would not set feedback in this case.) 3. Would O365 do DMARC checks for internal emails ie. O365 tenant employee to another O365 tenant employee? And would it send DMARC reports in this case? Yes and hopefully yes. - Roland
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
