How does dmarc work in ironport ESA?

keithsauer507 · ‎05-26-2015

How do you configure DMARC in the Ironport Email Security Appliance? I have it on but according to other sites it seems more complicated then 'flipping a switch'. I mean sites say you should have a TXT dns record, and then there are also third parties like dmarcian.com to "subscribe to".

Also most say there is an email address for "reports". Is this something I would have to create in Exchange, or is this something the IronPort would handle if I enter a fake email address in the DMARC policy and then put that same address in a DNS TXT record. Would IronPort get these dmarc reports and process them internally without end user intervention?

Following this wizard here to create a DMARC TXT DNS record: https://www.unlocktheinbox.com/dmarcwizard/ What would I put for Aggregate Email RUA or Forensic Email RUF? What about report format? Is it required to subscribe to a third party thing?

Ken Stieers · ‎05-26-2015

DMARC is a mechanism for domains to get reporting on DKIM and SPF results for mail that appears to come from their domain, and also for them to TELL YOU what you should do if SPF/DKIM fails.

Under Mail Policies/DMARC/Global Settings you can also turn on reporting of results (eg here's how much junk you're sending me...) If you setup a verification profile the ESA will hit DNS, get the DMARC record for the domain sending you mail, and you can CHOOSE to follow their advice. (basically they can tell you they think you should quarantine or reject messages that fail SPF).

If you want to give others a recommendation and you want them to report to you what they're getting that appears to come from your domain, you create the TXT record. ESA doesn't process DMARC data, you have to do that yourself, or use a service that does... (which might mean you have your reports sent to the service.

Report format is an XML file there's a sample in the help file on the box.

ssa1.nhq-dl1 · ‎12-10-2018

We have also implement the DMARC in our Organization's mail flow policy and now checking the DMARC/SPF and DKIM for all the incoming messages.

We have also done the SPF/DKIM and DMARC for our domain nic.in. When we are sending mails to internet like google, yahoo, hotmail, wipro, rediff and some other mail domains. The following are the observations :

1. Hotmail, rediff, wipro are checking the DMARC policy and in header it is showing the SPF/DKIM and DMARC passed.

2. But when sending the mails to gmail from our domain nic.in it is not showing the DMARC field in the header filter but gmail is showing the DMARC field in our one other domain.

Why it is happening can some please suggest what should i do for this..

Please help.

dmccabej · ‎12-14-2018

Hello,

The ESA would have no control as to what headers Gmail adds to your emails. You can reach out to them or perhaps try to figure out what differences you have between this domain and the working domains.

Thanks!

-Dennis M.

ssa1.nhq-dl1 · ‎12-24-2018

Thanks Dear.

We will coordinate with google for this.

Mukesh

mattdrury · ‎01-23-2019

I appreciated being able to send DMARC-reject results to a quarantine at first, to ensure it wasn't catching anything good. Not everyone has SPF/DKIM/DMARC configured properly, alas.

robert_collum@csx.com · ‎02-19-2019

Can DMARC data be fed into Splunk and return easy to search/read data?

marc.luescherFRE · ‎02-19-2019

Yes , there many ways this can be done.

Option a) import XML data received into DMARC resporting mail box
Option b) import DMARC validation verdict and authozization headers of incoming messages.

Both can be helpfull