Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
5
Helpful
3
Replies

DMARC bypass list

Go to solution
Henk Fictorie - Ulrich
Level 1
Level 1

‎10-12-2022 05:30 AM

With DMARC you can specify an address list for which DMARC verification is excluded (DMARC global settings, bypass address list). I wonder with which field it is compared. Is it the Envelope-From or the Header From or any header which is specified in the "Mail Policy Settings" list?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎10-14-2022 02:34 AM

It would be the from header and this should answer your query - https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217036-how-to-bypass-dmarc-check-on-email-secur.html

Note: Address lists that are created with the use of full email addresses or domains only can be used to bypass DMARC verification. You can use an Address List with the option All of the above. However, entries with only domain/full email address or partial domain address will work for an exception. You will have to use the domain/full email address mentioned in the From header.

View solution in original post

3 Replies 3

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎10-14-2022 02:34 AM

It would be the from header and this should answer your query - https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217036-how-to-bypass-dmarc-check-on-email-secur.html

Note: Address lists that are created with the use of full email addresses or domains only can be used to bypass DMARC verification. You can use an Address List with the option All of the above. However, entries with only domain/full email address or partial domain address will work for an exception. You will have to use the domain/full email address mentioned in the From header.

Go to solution
Henk Fictorie - Ulrich
Level 1
Level 1

‎10-17-2022 12:10 AM

Thanks for the link and the clarification.
However, I think that is weird. The point of DMARC is that the visible sender inside the Header From cannot be trusted and should be aligned with either the Envelope From (SPF) or the domain in the DKIM signing. Using the Header From in the bypass list is in that regard a strange choice.

0 Helpful

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee
In response to Henk Fictorie - Ulrich

‎10-17-2022 06:05 AM - edited ‎10-17-2022 06:05 AM

DMARC basically runs a check to confirm if both SPF and DKIM falls in line as far as alignment in concerned. During this stage, DMARC verification takes the from header and then verifies if the envelope sender/from matches to confirm if SPF alignment is good and then it takes from header again and verifies it against "d" value in DKIM signature. If they are same (along with successful SPF/DKIM verification) it is confirmed to be DMARC pass too. 

Its not Cisco specific behaviour, its how the RFC is designed - https://datatracker.ietf.org/doc/html/rfc7489#page-8

0 Helpful
Customers Also Viewed These Support Documents