P=Reject when using hosted email security?

PaulC

We are aiming to set a DMARC policy of P=Reject on our domain but a third-party tool we use to monitor DMARC reports (Dmarcian) shows that outbound emails sent by/through Hosted Email Security are only 85% compliant.

It looks like the Sonicwall sends out 15% emails with the organisation From: address, but SPF address of e.g. ams0vm-hesra06.colo.sonicwall.com and no DKIM

I can't tell what these emails might be because I can only see summary reports

Has anyone else got P=reject implemented?

Thank you

David W

@PaulC Can you open a case and give some samples?

Do you have DKIM polices set in HES for this?

PaulC

@DavidW I've reflected it is probably not much interest to anybody else because it stemmed from our unusual email configuration

incoming emails => sonicwall hosted security => Office 365 (EOP and mailboxes)

outgoing emails Office 365 => on-premises Exchange 2016 => sonicwall hosted security

[the reason for routing outgoing emails via an on-premise Exchange server is to re-use the corporate email signature software installed on it]

This all worked correctly apart from 15% of outgoing emails having the wrong SPF: these turned out to be all out-of-office emails; I am not sure why this arrangement caused SPF failures but the solution was to exclude them from the transport rule routing them via the on premises server

David W

An OOO will not contain a valid sender.

An OOO will use <NULL> instead.

Since SPF is based on sender domain and the sending IP those will fail

PaulC

Interesting, the out-of-office messages I'm seeing have SPF sender address ending outbound.protection.outlook.com

But no matter, it is all working for us

Thanks