2

I have configured SPF, DKIM, and DMARC for a couple of domains that use G Suite as an email/office suite provider. Everything is looking great so far, except for some reason Google is the only provider that is sending us daily aggregate reports, and what's more interesting, the reports Google is sending us include the emails we send to other providers.

To give you an example, the recipients of most of the emails we send are Office 365/Outlook users. Shouldn't Microsoft send us aggregate reports in this case? Well, it turns out no, as we have not received anything from Microsoft and the reports Google is sending us take into account the emails we send to Office 365 users. How is this possible? When we send emails through our G Suite accounts, is it possible for Google to somehow instruct Microsoft's servers to ignore our domain's DMARC email address and instead of that send aggregate reports to Google, which they in turn compile and send to us?

I really can't make sense of this. Any help would be appreciated.

Jeff
  • 27
  • 5
  • 1
    I wonder if it would help to include an anonymized version of your actual DMARC record in case there could be any quirks with that which are relevant. Another question is how long have you had the record in place? I'm not sure if all providers are sending summaries every day - some may be weekly. Oh yeah, also make sure no DMARC reports from other providers are being blocked by your own mail security configuration! – Todd Wilcox Feb 28 '19 at 15:40

2 Answers2

4

I had the same issue but the explanation is very simple :

There is many people using Office 365/Outlook or other mail provider as a secondary identity and redirect all their mail to their main mailbox (Gmail for example). The consequence is that Google is the real recipient while Microsoft act as a relay.

And according to the RFC 7489(https://www.rfc-editor.org/rfc/rfc7489#section-4.3), only the final recipient send a report, in this case it's Google and not Microsoft even if Microsoft was the original destination. Also, there is only few mail provider which send reports (and i never saw Microsoft sending any).

So, in your case, you have only sent mail to mail providers that act as a relay to a Gmail box (Very common as i have saw in my reports) or which don't send any reports.

Community
  • 1
redheness
  • 216
  • 1
  • 7
  • 4
    Looks like you are probably right about Microsoft not sending them: https://answers.microsoft.com/en-us/msoffice/forum/all/dmarc-aggregate-reports/08ccb4a7-de7a-4f25-b7bf-dfcdf5b22513 - That's from May 2018 and says MS does not send DMARC reports. Also this: https://blogs.msdn.microsoft.com/tzink/2018/05/21/a-way-to-sort-of-approximate-dmarc-aggregate-reports-in-office-365/ – Todd Wilcox Feb 28 '19 at 16:29
0

Thank you for chiming in and helping me figure this out. As it turns out, Microsoft indeed doesn't send aggregate reports, and the reports we receive from Google that appear to be counting in emails sent to Microsoft users are actually due to internal forwarding we set up for our G Suite domains a long time ago, which I totally forgot about.

I've had DMARC configured for almost a year now and recently I changed the policy to "reject" since there was a lot of email spoofing going on involving our domains. I thought the DMARC standard was mature and all major email providers were fully compliant. Turns out I was wrong. I will keep the "reject" policy though. The internal forwarding I mentioned is actually quite helpful in this case. Thanks to it, Google will keep sending us reports for emails that we send to users of Microsoft and other email providers. This way, I will notice if there is a problem with email deliverability, even though some providers don't bother sending reports.

Jeff
  • 27
  • 5
  • 1
    You're right. HoTMaiL/Outlook.com used to send reports until it was moved to the Office 365 backend. Since then Microsoft does not send reports at all. DMARC as a standard works well, though adoption is a bit lagging. The value of the reports are in telling you which senders (on your behalf) are failing to (fully) authenticate. You don't need every receiving party to send you reports to judge that… Depending on your volume and diversity of course. – Reinto Mar 02 '19 at 07:48
  • Well, to be honest, I don't care that much about who is impersonating our email addresses, as long as their emails get rejected by the recipients' email providers. What I do care about however is making sure that all of our legitimate email gets through. And for that, I need diligent reporting on the part of email providers. It's sad that DMARC reporting isn't even on the roadmap of a technology giant such as Microsoft whose servers receive tons of personal and, most importantly, business email every day. – Jeff Mar 02 '19 at 13:35