|Email Plug-in (Reporting):||1.1.0-114|
|Email Plug-in (Encryption):||1.2.1-118|
We have published SPF, DKIM and DMARC and now we start getting DMARC Reports. What is strange is that there are few messages that are send with email Ironport hostname? We have some situations when we return mail reject custome message but that message is sent as MAILER-DEAMON@domain.com not as ironport.hostname.local. How can we find what message is send with ironport hostname because if we search in message tracking “sender contains ironport.hostname – nothing is found”.
<source_ip>XXX.XXX.XXX.XXX</source_ip> [this is legit IP adress of MTA]
Beside that do you have some experience with DMARC and when some other companies have some auto forwarder rule - then forwarder does not rewrite sender and then you get DMARC fail results?
We have this problem as well.
I see lines like this from the ironport log:
Delayed: DCID XXXXXX MID YYYYYY to RID 0 - 4.1.0 - Unknown address error ('450', ['4.1.8 <MAILER-DAEMON@IronPort.OURDOMAIN.com>: Sender address rejected: Domain not found']) 
I'm guessing from timing and frequency that this is actually the Ironport delivering its DMARC reports to other domains.
The only place in the config where that name is found is the Ironport host name.
You can fix this under System Administration --> Return addresses.
One of the options is the dmarc feedback address.
Found it seconds after posting the first message :)