DMARC inoperable when using incoming gateway
Problem reported by Colin M - 10/7/2014 at 1:32 PM
Based on an old forum thread I found I gather that the DMARC check does not take into account if the last hop is from an Incoming Gateway and so it is possible that when using an Incoming Gateway the DMARC check will result in a fail. There is very little logging so I am not really able to conclusively prove or disprove this.
In the same forum thread it was recommended to add the gateway as a "Bypass Gateway" in the AntiSpam settings, but this causes DMARC to be completely bypassed for all mail from such IPs. This is obvously not optimal because one should not have to forgo the DMARC check just because of their internal network structure.
I believe the optimal solution would be for Incoming Gateway to be considered by the DMARC check by looking at each Received header until the first one that is not an Incoming Gateway is found and applying the DMARC check (and all other IP-based spam filters) to that IP. If it does not already work this way then I would call this a pretty serious bug.
As it stands it is very poorly documented what the difference is between Incoming Gateway (Backup MX), Incoming Gateway (Domain Forward) and Bypass Gateway with respect to spam filtering, DMARC, greylisting, etc...

1 Reply

Reply to Thread
Robbie Wright Replied
Colin, I agree with all of your thoughts/statements. Is is very poorly documented the difference in the different gateway types when used as a backup MX solution. We had this same issue and the way that we got it to work was to config all of our spam settings on the backup gateway and basically make all the spam checks happen there. After that, SM passes the score to the next SM server and doesn't run any checks.

Reply to Thread