Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1831
Views
0
Helpful
1
Replies

Ironport AsyncOS after enable DMARC check, Non-Delivery Report does not pass DMARC check

MBal
Level 1
Level 1

‎10-20-2020 07:06 AM

Hello, I am trying to implement dmarc check in Ironport AsyncOS.

After enabling DMARC check, Non-Delivery Report does not pass DMARC check, because nor NDR sender is (empty). All normal e-mails can pass DMARC verification.

 

Is there any way to allow NDR emails to bypass DMARC check ?

I have spent already a lot of time in this problem, there is almost no information about this problem available in internet.

 

Here is log records for one NDR that was quarantined to DMARC.

20 Oct 2020 16:44:11 (GMT +01:00)Incoming connection (ICID 12353948) has sender_group: RELAYLIST, sender_ip: 87.245.245.180 and sbrs: 2.7
20 Oct 2020 16:44:11 (GMT +01:00)Protocol SMTP interface Data (IP 87.245.245.188) on incoming connection (ICID 12353948) from sender IP 87.245.245.180. Reverse DNS host None verified no.
20 Oct 2020 16:44:11 (GMT +01:00)(ICID 12353948) RELAY sender group RELAYLIST match 87.245.245.180 SBRS 2.7 sender IP 87.245.245.180 country Lithuania
20 Oct 2020 16:44:11 (GMT +01:00)Incoming connection (ICID 12353948) successfully accepted TLS protocol TLSv1.2 cipher ECDHE-RSA-AES128-SHA256.
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 Sender Domain:
20 Oct 2020 16:44:11 (GMT +01:00)Start message 13228767 on incoming connection (ICID 12353948).
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 enqueued on incoming connection (ICID 12353948) from .
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 direction: outgoing
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 on incoming connection (ICID 12353948) added recipient (shoffmann@news.era.int).
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 scanned by engine SPF Verdict Cache using cached verdict.
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 SPF: mailfrom identity None
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767: DMARC Message from domain enterprise.lt, DMARC fail, (SPF aligned False, DKIM aligned False) DMARC policy is reject, applied policy is quarantine
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767: DMARC verification failed. Message sent to quarantine.
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 contains message ID header '<4fb3f5e5-3f4a-45de-aa9e-c1f779a75fe7@TS.GOV.LV>'.
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 original subject on injection: Undeliverable: [SUSPECTED SPAM] Artificial Intelligence (AI) and the Criminal Justice System
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 (59375 bytes) from ready.
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 has sender_group: RELAYLIST, sender_ip: 87.245.245.180 and sbrs: 2.7
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 matched per-recipient policy Data domains for outbound mail policies.
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 scanned by Anti-Virus engine. Final verdict: Negative
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 scanned by Outbreak Filters. Verdict: Negative
20 Oct 2020 16:44:11 (GMT +01:00)Message 13228767 quarantined to DMARC. DMARC verification failure
Labels:
0 Helpful
1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

‎11-01-2020 11:03 PM

DMARC check can be bypassed based on either an address list or for specific headers that you can try out.

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_010110.html#task_1226758

 

Regards,

Libin

0 Helpful
Customers Also Viewed These Support Documents