10-12-2022 05:30 AM
With DMARC you can specify an address list for which DMARC verification is excluded (DMARC global settings, bypass address list). I wonder with which field it is compared. Is it the Envelope-From or the Header From or any header which is specified in the "Mail Policy Settings" list?
Solved! Go to Solution.
10-14-2022 02:34 AM
It would be the from header and this should answer your query - https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217036-how-to-bypass-dmarc-check-on-email-secur.html
Note: Address lists that are created with the use of full email addresses or domains only can be used to bypass DMARC verification. You can use an Address List with the option All of the above. However, entries with only domain/full email address or partial domain address will work for an exception. You will have to use the domain/full email address mentioned in the From header.
10-14-2022 02:34 AM
It would be the from header and this should answer your query - https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217036-how-to-bypass-dmarc-check-on-email-secur.html
Note: Address lists that are created with the use of full email addresses or domains only can be used to bypass DMARC verification. You can use an Address List with the option All of the above. However, entries with only domain/full email address or partial domain address will work for an exception. You will have to use the domain/full email address mentioned in the From header.
10-17-2022 12:10 AM
Thanks for the link and the clarification.
However, I think that is weird. The point of DMARC is that the visible sender inside the Header From cannot be trusted and should be aligned with either the Envelope From (SPF) or the domain in the DKIM signing. Using the Header From in the bypass list is in that regard a strange choice.
10-17-2022 06:05 AM - edited 10-17-2022 06:05 AM
DMARC basically runs a check to confirm if both SPF and DKIM falls in line as far as alignment in concerned. During this stage, DMARC verification takes the from header and then verifies if the envelope sender/from matches to confirm if SPF alignment is good and then it takes from header again and verifies it against "d" value in DKIM signature. If they are same (along with successful SPF/DKIM verification) it is confirmed to be DMARC pass too.
Its not Cisco specific behaviour, its how the RFC is designed - https://datatracker.ietf.org/doc/html/rfc7489#page-8
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide