cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
8
Replies

MAIL FROM identity alignment

ToddLeFort
Beginner
Beginner

My Cisco Domain Protection appliance says that my Cisco ESA is sending out email with an identity misalignment because instead of the MAIL FROM being my company domain, it is esa.hc####-##.iphmx.com.  How do I change this so that the MAIL FROM is my company domain?

8 Replies 8

dmccabej
Cisco Employee
Cisco Employee

What kind of email are you referring to? Is this some sort of alert that the ESA is sending? Any details you can add?

 

Thanks!

-Dennis M.

ToddLeFort
Beginner
Beginner

Thanks Dennis.  Apologies.  New guy.  In our Cisco Domain Protection appliance, when I look to see if there are any SPF problems, I see that one problem is Identifier Misalignment.  When I look at the details of that Identity Misalignment, that's where it tells me that the MailFrom domain must match the From domain as required by DMARC.  These emails aren't failing because we have DKIM setup.  But this is telling me that our own ESA appliance where all of our outbound email is going out through does not have the proper Identifier Alignment.  When the email message comes out of our ESA appliance, it needs the MAIL FROM domain to be the same as our company domain and it's not.  The MAIL FROM domain is the ESA appliance domain - esa.hc####-##.iphmx.com.  I did receive an alert from the appliance telling me that we have an "Increase in DMARC-SPF alignment failures."  Is that clearer?  

Hello,

 

Thank you for the update. That is good information, yes. Though, what I'm more concerned about would be the content of the email itself. As in, how is this email being generated, from where, and for what purpose? If we knew how/where the email was generated, then we would know how the mail-from needs to be modified. Do you have the content of these emails? Headers perhaps? Etc?

 

Thanks!

-Dennis M.

ToddLeFort
Beginner
Beginner

Thanks again, Dennis.  Unfortunately, I am not able to see what the emails are.  I'm confident that the emails are legitimate though as we are currently at P=Reject for DMARC.  These messages are passing DMARC, but there is this pesky "identifier misalignment" issue.  If I did nothing, all would be well.  But if it's possible, I'd like to be able to correct the identifier misalignment.  We have all of our third party vendors that send email on behalf of us included in our SPF and/or DKIM.  We did have one vendor where we had this "identifier misalignment" come up.  In that case, the MAIL FROM was the vendor domain and we worked with the vendor to correct that.  In this case, it's saying that the MAIL FROM domain that is misaligned is our own ESA appliance.  So, I was thinking that it was some configuration setting within the Cisco ESA that we just overlooked.

With the esa named like that, I assume you're using Cloud Email Security (CES), but you write like you have a single ESA. Are you in CES or on prem?

I would agree, yes. If the mail-from name you're seeing is one of your CES hosts, then more than likely the answer is to correct or modify the configuration on the CES appliances. However, without knowing what messages are in question, it's a bit hard if not impossible to know what configuration change would need to occur to correct this behavior. 

 

I understand the concept of identifier alignment, but, we need to know the content and headers of said message in order to know where to make those corrections. 

 

Perhaps a TAC case can be opened and we can help you take a closer look at CDP to see if we can identify additional message details?

 

Thanks!

-Dennis M.

ToddLeFort
Beginner
Beginner

Thanks Ken.  We are using Cloud Email Security.  We have a Secure Mail Cloud Gateway C300V (ESA) appliance as well as a Secure Cloud Email and Web Manager M300V (SMA) appliance.  Additionally, we have a separate Cisco Domain Protection (DMP) appliance.  It is the DMP appliance that is reporting that the ESA appliance has the Identity Misalignment issue with regard to DMARC.

ToddLeFort
Beginner
Beginner

Gentlemen, I appreciate your time and posts.  It would appear that this identity misalignment is kind of "the nature of the beast" when working with as many vendors as we do that send email on our behalf.  The emails are being sent.  They are passing DMARC, but because we are not originating the email and because these bulk mailing services have many other customers, it's virtually impossible for them to configure the MAIL FROM to alleviate the identity misalignment alerts that our domain protection appliance is reporting.  In short, it appears that these alerts are negligible.  Again, I do appreciate your time and assistance.  Many thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: