Help with SPF, DKIM and DMARC for O365

Discussion in 'Webmastering & Programming' started by |-Goku-|, Dec 13, 2018.

  1. |-Goku-|

    |-Goku-| [H]ard|Gawd

    Messages:
    1,768
    Joined:
    Aug 24, 2003
    Hey all,
    Was just seeing if anyone has any Exchange experience that could help me.

    I don't do to much with exchange stuff, but I have a client that is on Office 365, and was getting hit with spoofers. So, we set up SPF, DKIM and DMARC. Which has worked great, but now we need to allow their web site hosting company send emails on their behalf.

    They are using word press, and it was coming from mail.wpengine.com. So, I added that to the SPF record, but the email still was flagged as spam. According to mxtoolbox, it passed SPF Alignment and Authentication, but failed both DKIM. So, they had me use SendGrid, which I verified the domain in SendGrid, and added the DKIM keys, and the CNAME for the return Path. This was still flagged as spam, showing that SPF Alignment and Authentication Failed, but DKIM Alignment passed. In the headers, it shows that SPF = Pass, so I am not sure what I am missing. The only thing I can think of is that MXToolbox is showing the Sendgrid and mail.wpengine.com IP as being blacklisted.

    Any help or a point in the right direction would be great.
     
  2. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,102
    Joined:
    Jul 6, 2013
    No... Don't add anything to your domain records. Create them an email account and give them the credentials. The website developer will need to figure out the rest if it isn't already a feature of whatever plugin/feature they are using with WP

    Remove any records that you added. You don't want to list any domains besides your own as authorized senders... That's a really bad idea. And, how spoofing happens

    Essentially, the changes you are trying to make are going to allow anyone to send email with your domain listed as the sender, and it appear legitimate. This is bad for obvious reasons. If I sign up for a mail.wpengine.com account or whatever you added to your records, and put your actual domain as the sender, I can claim to be anyone in your company without ever having access to your network or O365 or any of your admin logins. I skip all that and can start sending emails worldwide picking off clients, etc
     
    Last edited: Dec 15, 2018
  3. socK

    socK 2[H]4U

    Messages:
    3,619
    Joined:
    Jan 25, 2004
    One thing I've found useful for name spoofing is a transport rule that bites on known names if the email is coming from the outside and throws it into quarantine. One downside is that you have to watch and maintain a whitelist in case someone with an identical name is trying to reach you from the outside, but at least for us, this is exceedingly rare in practice.

    So like the CEO, President, VP's, whatever

    Make a regex like this so it's a bit fuzzy in case they do last name first name or something or use some unicode whitespace character.
    Some[\p{Z}\p{P}]{0,2}Name|Name[\p{Z}\p{P}]{0,2}Some