Solved: Re: Bypass DMARC on Cisco Ironport

Garrett Hensley · ‎08-15-2023

I am trying to allow an external helpdesk ticketing system send emails using their email server as an internal user. Basically spoofing my email address. When doing so DMARC verification is failing (for obvious reasons). However, attempting to bypass the DMARC check for this particular domain or sender is not working. I followed the documentation here: https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217036-how-to-bypass-dmarc-check-on-email-secur.html

But, I continue to get the same results. Any suggestions on bypassing a DMARC check for a particular sender? The sender seems to have numerous sending IP's and I can't seem to find a definitive list.

Garrett

Garrett Hensley · ‎11-13-2023

My solution was to setup the software to send as our domian by adding DKIM records in our DNS. This is a better solution to the problem anyway since bypassing DMARC would allow any other sender from the vendors domain to bypass DMARC.

View solution in original post

Ken Stieers · ‎08-23-2023

In Mail Policies/DMARC, click Edit Global Settings button, you can do it two ways.

1. create an address list under Mail Policies/Address Lists, and set that list as the Specific Senders Bypass Address list

2. put specific headers for it to look for in the "Bypass verification for messages with headers"

You could also do it in the Host Access Table, by creating a sender group with the IPs that are sending this mail, and then creating Mail Flow Policy that doesn't check DMARC....

Number 1 above is the easiest way

Garrett Hensley · ‎08-23-2023

Thanks @Ken Stieers,

The first way is what the document I posted says to do. However, it does not do what I expected the DMARC check still fails. I haven't tried the header method yet.

I have used the HAT to do this very thing and was successful. However, this sender does not have a published list of IP addresses and I was already up to 4 when I decided that wasn't a viable method.

Ken Stieers · ‎08-23-2023

Hey Garrett,
What things are in your address list? The list type can be "all of the above", but for this it can ONLY be domains or email addresses, it can't have any IPs in it.
Ken

Garrett Hensley · ‎08-23-2023

Yes, I did catch that in the documentation. To make sure I created a new address list just for DMARC. I set the list type to Domains only and added domains either in the format @mydomain.com or @.no.itsnot.com.

Yannick Sauren · ‎11-10-2023

Hello @Ken Stieers

Are there some documentation and example for the 2.put specific headers for it to look for in the "Bypass verification for messages with headers"

I'm searching the correct syntax to bypass based on Envelope Recipients

Thanks,

Yannick

Ken Stieers · ‎11-10-2023

In Mail Policies/DMARC, click on Edit Global Settings, the second option down is where you can put the headers names.
This is for headers that exist, not what their values may be.
For specific senders, you can use the Exception list. Create an Address List under Mail Policies/Address List.

BenicioJustice · ‎11-13-2023

Bypassing DMARC checks for a specific sender requires a careful approach to address alignment issues and ensure proper authentication methods like DKIM and SPF are correctly configured. If the provided Cisco documentation is not yielding the desired results, consider verifying the sender's alignment, checking https://deltaheatedvest.com/best-sports-bras/ their DMARC policy, and inspecting DKIM signatures.

Garrett Hensley · ‎11-13-2023

My solution was to setup the software to send as our domian by adding DKIM records in our DNS. This is a better solution to the problem anyway since bypassing DMARC would allow any other sender from the vendors domain to bypass DMARC.