DMARC policy rejecting emails from a bank
Problem reported by Jorge Euran - October 25, 2016 at 9:49 AM
Submitted
We have a setup with a primary mail server and a secondary mail server.
The secondary is configured as an Incoming Gateway for the primary. 
 
We are having an issue with mails coming from a particular bank that are received in the secondary (backup) mail server for some reason. Servers are well configured with different values in their DNS records to show the primary with a lower value and the secondary with a higher, but anyways, the mails are received on the secondary.
 
The secondary server then forwards them to the primary (as it should be) and they are rejected by the primary due to 'senders DMARC policy'.  We have checked and it seems that the SPF and DKIM records of the bank's domain are both ok so DMARC should not fail... but it does.
 
Could this be related to the fact that the email is being received first by the secondary server?  
The emails from the bank are being rejected by our primary server for all the domains that we have hosted, not only one specific domain.  
 
Any suggestions on how to make this work? Thanks in advance.
 
A portion of the primary server SMTP log:
 

[2016.10.24] 14:00:34 [Backup server IP][66090138] rsp: 550 Message rejected due to senders DMARC policy

[2016.10.24] 14:00:34 [Backup server IP][66090138] A trace of the DMARC processing follows.

[2016.10.24] 14:00:34 [Backup server IP][66090138] Beginning DMARC check for nameofsender@banksdomain.com from IP Backup server IP...

[2016.10.24] 14:00:34 [Backup server IP][66090138] The from field for the message is ""sender [GCB-CCB]"<nameofsender@banksdomain.com>".  Will look for DMARC policy record at _dmarc.banksdomain.com

[2016.10.24] 14:00:34 [Backup server IP][66090138] Retrieved the following DMARC policy record for "banksdomain.com": v=DMARC1; p=reject; rua=mailto:citi@rua.agari.com,mailto:dmarc.reports.rua@citi.com

[2016.10.24] 14:00:34 [Backup server IP][66090138] DMARC: SPF failure.

[2016.10.24] 14:00:34 [Backup server IP][66090138] DMARC: Bad DKIM signature.

[2016.10.24] 14:00:34 [Backup server IP][66090138] Data transfer succeeded but message rejected by DMARC

[2016.10.24] 14:00:34 [Backup server IP][66090138] cmd: QUIT

 

1 Reply

Reply to Thread
0
Von-Austin See Replied
Employee Post
Jorge,
 
You will want to add the IP address of your Backup Server IP to the primary server's Bypass Gateway settings.
 
These can be found under Security -> AntiSpam Administration, then select the Bypass Gateways tab. Here, select Add IP from the menu bar and enter in the necessary information. Save these settings and you should then be set.
 
Adding the backup server IP to this list will cause SmarterMail to ignore this IP address and instead run the check from the next IP address in the message header.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread