DMARC

What is DMARC?

DMARC is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Wikipedia

 

Is DMARC supported with Email Rewrite Services (ERS)?

Yes, DMARC is fully supported in all ERS mail flow scenarios. Either natively or through product supported methods.

ERS MAIL FLOW DMARC
Mail Sent to External Recipients Natively Supported
Mail Sent to Cross-Tenant Recipients Natively Supported
Mail Received from External Recipients Product Supported
Mail Received from Cross-Tenant Recipients Natively Supported

Table 1: Supported DMARC Mail Flow Scenarios

 

What does product supported mean?

Product supported means that Power365 maintains domain authenticity, through internal methods to ensure the message received by the originating Office 365 tenant was DMARC compliant before it is rewritten and redirected to the destination Office 365 tenant.

In other words, Power365 ERS will verify and sign the rewritten email with a secret key so that when it is received by the destination Office 365 tenant, transport rules may verify its authenticity then deliver to the intended user.

 

What does natively supported mean?

Natively supported means that DKIM domain alignment is achieved when an ERS rewritten email is sent or received. Therefore, DMARC will pass when received without interruption by the intended recipient domain.

 

What is required for DMARC to function with ERS?

DMARC is supported natively for all ERS users when sending mail outbound to an external domain recipient or across to a neighboring Office 365 tenant. Simply choose the accepted domains in use during your project setup of the DKIM signatures. This will ensure the required domains are signed to achieve domain alignment and pass DMARC. The project wizard will guide you through the process.

 

Why are reply emails sent to the Junk folder?

When an ERS user receives a reply email from an external user, it is rewritten back to the original email address. This disrupts domain alignment and Exchange Online Protection by default will mark such emails as SPAM, delivering it to the end-user’s junk email folder.

 

How do I prevent ERS reply emails from being marked as SPAM?

It’s very easy to do. Simply setup a new action in one of the ERS transport rules. When ERS is deployed in each tenant environment, transport rules are created to manage to flow of mail for ERS users only.

This new action will allow ERS validated emails only to by-pass SPAM and deliver the message directly to the end-user’s inbox.

 

How do I setup an action in my transport rule to prevent ERS reply mail going to Junk?

During this deployment, a rule named “BT-IntegrationPro-In-DKIM” is created and configured in each Office 365 tenant in scope for Email Rewrite Services.

Follow these steps to setup a new action in the ERS Transport Rule using the Exchange Admin Center.

  1. Login into Exchange Admin Center with your Exchange Online Administrator or higher role account.
  2. Navigate to Mail Flow, Rules.
  3. Locate the rule named, BT-IntegrationPro-In-DKIM.
  4. Click Edit.
  5. Click Add Action.
  6. From the Do the following… field select, Modify the Message Properties.
  7. Select set the spam confidence level (SCL).
  8. Select the specify SCL to be Bypass spam filtering.
  9. Select OK.
  10. Select Save.

PowerShell may also be used to modify the rule. Here is an example.

Set-TransportRule "BT-IntegrationPro-In-Dkim" -SetSCL –1

See the Set-TransportRule for more information.

 

May I set additional actions to the rule such as add a disclaimer or append the subject?

Yes, additional actions are supported on this rule. For example, it may be desired that a disclaimer be added to these ERS emails informing the recipient they are safe and were rewritten by our authorized service provider. Another common example is to prepend to the subject line that this is an ERS email. This provides additional awareness to the end-user users receiving and sending these types of email.

If additional actions are added to this rule, please validate the changes do not impact any functionality. And do not modify the rule order or add rules that reorder the ERS rules.

 

If this rule is deleted will it be recreated automatically?

Yes, Power365 health monitoring will recreate any rules that it created for ERS. If ERS is disabled in your project, all rules will automatically be removed from all tenant environments.

 

Will the rule be recreated with my additional actions?

No, any additional actions you may have added to the rule must be added again to the newly created rule.

 

How do I make a back-up of my rules with my custom actions?

You may easily use Exchange Online PowerShell to export your rules to a CSV file as a back-up. For example, here is a script that will export all rules created by Power365 during the ERS deployment.

Get-TransportRule BT-Integration* | export-csv C:\Users\%USERNAME%\Downloads\BT-Integration_TransportRules.csv

 

Additional Information

Eligibility Groups

DKIM

TLS/SSL

Rules, Connectors and Groups

Diagrams