0

My company uses an Anti-Spoofing Protection based on the SPF Record and has implemented DMARC. Often our users correspond via a "secure" messaging platform like Proofpoint/ZIX/IronPort from their counterparts. However, when our users respond on those platforms, the platforms respond on their behalf "spoofing" their emails. At first level it fails to reach any of that person's colleagues if they are on the thread based on our Anti-Spoofing Protection (Which I can whitelist Proofpoint/ZIX/IronPort via adding their IPs to our SPF record), however how can I do it for DMARC? Since I don't have any of those services, I can't provide them the DKIM key, etc. I'm assuming just whitelisting Anti-Spoofing Protection would then fall to failing to DMARC next.

enter image description here

user2942358
  • 5
  • 2
  • DMARC succeeds when __either__ SPF or DKIM passes and is aligned to the `From` field. There is no need that both pass. – Steffen Ullrich Apr 08 '21 at 14:24
  • Listing those services, that you don't control, in your SPF allows anyone that uses that service (or at least the SPF listed IP) to send out any email on behalf of your domain. Maybe I misunderstand, but can you make it a bit more visual? Who are the users? Where do they reside, where are they sending the emails (in terms of email domains) etc. – Reinto Apr 08 '21 at 17:51
  • @Reinto Added a pix. – user2942358 Apr 08 '21 at 20:23
  • If you add Proofpoint to the SPF, then those emails will probably pass SPF, depending on which Return-Path address is used in those emails from the Proofpoint web platform. DMARC will then pass if the Return-Path address uses the same email domain as the From address (@dell.com in your example). If this Proofpoint web platform is hosted at ATT, how does it let you register and use the Dell address as sender address? Adding ATT's PP to your SPF allows anyone that can register a Dell.com email address to send authenticated emails in your name. – Reinto Apr 09 '21 at 15:22

1 Answers1

0

DMARC requires either SPF or DKIM passing with alignment to the From header domain.

If you've added the encryption service gateways to your SPF record, all mail from those gateways will pass your domain's DMARC.

Adam Katz
  • 9,718
  • 2
  • 22
  • 44