Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

P=Reject when using hosted email security?

We are aiming to set a DMARC policy of P=Reject on our domain but a third-party tool we use to monitor DMARC reports (Dmarcian) shows that outbound emails sent by/through Hosted Email Security are only 85% compliant.

It looks like the Sonicwall sends out 15% emails with the organisation From: address, but SPF address of e.g. ams0vm-hesra06.colo.sonicwall.com and no DKIM

I can't tell what these emails might be because I can only see summary reports

Has anyone else got P=reject implemented?

Thank you

Category: Hosted Email Security
Reply

Answers

  • David WDavid W SonicWall Employee

    @PaulC Can you open a case and give some samples?

    Do you have DKIM polices set in HES for this?

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • PaulCPaulC Newbie ✭

    @DavidW I've reflected it is probably not much interest to anybody else because it stemmed from our unusual email configuration

    incoming emails => sonicwall hosted security => Office 365 (EOP and mailboxes)

    outgoing emails Office 365 => on-premises Exchange 2016 => sonicwall hosted security

    [the reason for routing outgoing emails via an on-premise Exchange server is to re-use the corporate email signature software installed on it]

    This all worked correctly apart from 15% of outgoing emails having the wrong SPF: these turned out to be all out-of-office emails; I am not sure why this arrangement caused SPF failures but the solution was to exclude them from the transport rule routing them via the on premises server

  • David WDavid W SonicWall Employee

    An OOO will not contain a valid sender.

    An OOO will use <NULL> instead.

    Since SPF is based on sender domain and the sending IP those will fail

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • PaulCPaulC Newbie ✭
    Interesting, the out-of-office messages I'm seeing have SPF sender address ending outbound.protection.outlook.com
    
    But no matter, it is all working for us
    
    Thanks
    
    


Sign In or Register to comment.