DMARC policy rejecting emails from a bank
Problem reported by Jaime Alvarez - 10/25/2016 at 9:49 AM
We have a setup with a primary mail server and a secondary mail server.
The secondary is configured as an Incoming Gateway for the primary. 
We are having an issue with mails coming from a particular bank that are received in the secondary (backup) mail server for some reason. Servers are well configured with different values in their DNS records to show the primary with a lower value and the secondary with a higher, but anyways, the mails are received on the secondary.
The secondary server then forwards them to the primary (as it should be) and they are rejected by the primary due to 'senders DMARC policy'.  We have checked and it seems that the SPF and DKIM records of the bank's domain are both ok so DMARC should not fail... but it does.
Could this be related to the fact that the email is being received first by the secondary server?  
The emails from the bank are being rejected by our primary server for all the domains that we have hosted, not only one specific domain.  
Any suggestions on how to make this work? Thanks in advance.
A portion of the primary server SMTP log:

[2016.10.24] 14:00:34 [Backup server IP][66090138] rsp: 550 Message rejected due to senders DMARC policy

[2016.10.24] 14:00:34 [Backup server IP][66090138] A trace of the DMARC processing follows.

[2016.10.24] 14:00:34 [Backup server IP][66090138] Beginning DMARC check for nameofsender@banksdomain.com from IP Backup server IP...

[2016.10.24] 14:00:34 [Backup server IP][66090138] The from field for the message is ""sender [GCB-CCB]"<nameofsender@banksdomain.com>".  Will look for DMARC policy record at _dmarc.banksdomain.com

[2016.10.24] 14:00:34 [Backup server IP][66090138] Retrieved the following DMARC policy record for "banksdomain.com": v=DMARC1; p=reject; rua=mailto:citi@rua.agari.com,mailto:dmarc.reports.rua@citi.com

[2016.10.24] 14:00:34 [Backup server IP][66090138] DMARC: SPF failure.

[2016.10.24] 14:00:34 [Backup server IP][66090138] DMARC: Bad DKIM signature.

[2016.10.24] 14:00:34 [Backup server IP][66090138] Data transfer succeeded but message rejected by DMARC

[2016.10.24] 14:00:34 [Backup server IP][66090138] cmd: QUIT


3 Replies

Reply to Thread
Von-Austin See Replied
Employee Post
You will want to add the IP address of your Backup Server IP to the primary server's Bypass Gateway settings.
These can be found under Security -> AntiSpam Administration, then select the Bypass Gateways tab. Here, select Add IP from the menu bar and enter in the necessary information. Save these settings and you should then be set.
Adding the backup server IP to this list will cause SmarterMail to ignore this IP address and instead run the check from the next IP address in the message header.
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com
Jaime Alvarez Replied
Hi, Von.

Thanks for the response.
So as I understand, do I have to add the Ip to the primary server "Bypass Gateway" config even when the secondary its setup as a "backup server" based on the instructions that you guys have available in the documentation? Because it never mentions that we need to do this step. Thanks in advance.

Von-Austin See Replied
Employee Post

Thanks for pointing this out, it isn't necessarily required, but it will effect how your primary server performs spam checks against the messages from your backup MX.

The documentation was likely written before the bypass gateway feature was implemented. I'll ensure this gets updated with a note.
Von See Technical Support Supervisor SmarterTools Inc. (877) 357-6278 www.smartertools.com

Reply to Thread