Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1891
Views
0
Helpful
7
Replies

Cisco esa dmarc

ccna_security
Level 3
Level 3

‎10-03-2019 05:34 AM

dear all. when we get dmarc report i observed that some x.x.x.x ip send email on behalf of my domain. when i looked at spf verification result i saw that all failed but all dkim verification were pass. the result SPF-failed and DKIM-passed== DMARC passed and i guess all emails send to destination. 

 

Is it normal behavior?

Labels:
0 Helpful
7 Replies 7

Mathew Huynh
Cisco Employee
Cisco Employee

‎10-03-2019 04:05 PM

Hey ccns90,

 

DMARC can pass when SPF or DKIM fails, but if both fails - DMARC will show fail.

So this behaviour you noted, is by design of the DMARC functionality.

 

When this happens and you're filtering based on DMARC, then DMARC will be allowed through.

In that event the email itself is authentic but likely their SPF records needs to be reviewed and updated to ensure SPF also passed.

 

If this is not something you would like to do, you may need to generate a message/content filter to take results based on the authentication-results header for your own customization of the actions.

 

Regards,

Mathew 

0 Helpful

ccna_security
Level 3
Level 3
In response to Mathew Huynh

‎10-03-2019 11:42 PM

Hi Mathew

i did not understand clearly. google dmarc report says that lots of ip send email on behalf   of my domain and google didn't drop spf failed emails. I have only one ip address in spf record with hard fail -all. doesn't this means that if other than my legitimate ip would sent email drop it?

i am really confused 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to ccna_security

‎10-07-2019 07:18 AM

Hi...

 

the best chance you have is to use a free DMARC record aggreagtro to help you pinpoint the host whoich is sending in your behalf. Check out DMARCIAN or DMARCanalyser for a free 30 day try.

 

-Marc

0 Helpful

ccna_security
Level 3
Level 3
In response to marc.luescherFRE

‎10-09-2019 01:55 AM

Thanks for all of you. but i have not got answer yet.

 

Dmarc report shows that all ip address is not compliant. some times it shows  3 or 4 threat. i understand threat that means someone really used my domain name to send fake email. but lots of ip shown on dmarc report as non-compliant. what this means? is that normal?

0 Helpful

Michael Douglas
Cisco Employee
Cisco Employee

‎10-10-2019 04:18 AM - edited ‎10-10-2019 04:19 AM

HI,

 

Here is an overview what is required to pass DMARC verification:

 DMARC.png

I know this may not answer your question entirely but hopefully this document will give you better insight how to deploy SPF, DKIM and DMARC on ESA/CES: https://www.cisco.com/c/dam/en/us/products/collateral/security/esa-spf-dkim-dmarc.pdf

 

Cheers,
Michael

 

.:|:.:|:. Michael Douglas | Designated Service Manager - Content Security | Cisco Systems
0 Helpful

Anilkumar48
Level 1
Level 1
In response to Michael Douglas

‎10-10-2019 04:51 AM

Shared link is giving an error. please check and share the correct link :)

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Anilkumar48

‎10-10-2019 05:55 PM

Hey Anilkumar,

 

Can you give me the error you're getting as the link works for me.

 

Thanks,

Mathew

0 Helpful
Customers Also Viewed These Support Documents