04-06-2022 06:17 AM
My Cisco Domain Protection appliance says that my Cisco ESA is sending out email with an identity misalignment because instead of the MAIL FROM being my company domain, it is esa.hc####-##.iphmx.com. How do I change this so that the MAIL FROM is my company domain?
04-06-2022 07:41 AM
What kind of email are you referring to? Is this some sort of alert that the ESA is sending? Any details you can add?
Thanks!
-Dennis M.
04-06-2022 08:50 AM
Thanks Dennis. Apologies. New guy. In our Cisco Domain Protection appliance, when I look to see if there are any SPF problems, I see that one problem is Identifier Misalignment. When I look at the details of that Identity Misalignment, that's where it tells me that the MailFrom domain must match the From domain as required by DMARC. These emails aren't failing because we have DKIM setup. But this is telling me that our own ESA appliance where all of our outbound email is going out through does not have the proper Identifier Alignment. When the email message comes out of our ESA appliance, it needs the MAIL FROM domain to be the same as our company domain and it's not. The MAIL FROM domain is the ESA appliance domain - esa.hc####-##.iphmx.com. I did receive an alert from the appliance telling me that we have an "Increase in DMARC-SPF alignment failures." Is that clearer?
04-06-2022 10:28 AM
Hello,
Thank you for the update. That is good information, yes. Though, what I'm more concerned about would be the content of the email itself. As in, how is this email being generated, from where, and for what purpose? If we knew how/where the email was generated, then we would know how the mail-from needs to be modified. Do you have the content of these emails? Headers perhaps? Etc?
Thanks!
-Dennis M.
04-06-2022 11:12 AM
Thanks again, Dennis. Unfortunately, I am not able to see what the emails are. I'm confident that the emails are legitimate though as we are currently at P=Reject for DMARC. These messages are passing DMARC, but there is this pesky "identifier misalignment" issue. If I did nothing, all would be well. But if it's possible, I'd like to be able to correct the identifier misalignment. We have all of our third party vendors that send email on behalf of us included in our SPF and/or DKIM. We did have one vendor where we had this "identifier misalignment" come up. In that case, the MAIL FROM was the vendor domain and we worked with the vendor to correct that. In this case, it's saying that the MAIL FROM domain that is misaligned is our own ESA appliance. So, I was thinking that it was some configuration setting within the Cisco ESA that we just overlooked.
04-06-2022 11:19 AM
04-06-2022 11:50 AM
I would agree, yes. If the mail-from name you're seeing is one of your CES hosts, then more than likely the answer is to correct or modify the configuration on the CES appliances. However, without knowing what messages are in question, it's a bit hard if not impossible to know what configuration change would need to occur to correct this behavior.
I understand the concept of identifier alignment, but, we need to know the content and headers of said message in order to know where to make those corrections.
Perhaps a TAC case can be opened and we can help you take a closer look at CDP to see if we can identify additional message details?
Thanks!
-Dennis M.
04-06-2022 11:43 AM
Thanks Ken. We are using Cloud Email Security. We have a Secure Mail Cloud Gateway C300V (ESA) appliance as well as a Secure Cloud Email and Web Manager M300V (SMA) appliance. Additionally, we have a separate Cisco Domain Protection (DMP) appliance. It is the DMP appliance that is reporting that the ESA appliance has the Identity Misalignment issue with regard to DMARC.
04-06-2022 12:01 PM
Gentlemen, I appreciate your time and posts. It would appear that this identity misalignment is kind of "the nature of the beast" when working with as many vendors as we do that send email on our behalf. The emails are being sent. They are passing DMARC, but because we are not originating the email and because these bulk mailing services have many other customers, it's virtually impossible for them to configure the MAIL FROM to alleviate the identity misalignment alerts that our domain protection appliance is reporting. In short, it appears that these alerts are negligible. Again, I do appreciate your time and assistance. Many thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide