Hello, 

Looking at the header of this message you will want to look at the X-SmarterMail headers. 

The issue here is with the DMARC record. Weather the Return-Path or the From address is used is based on weather or not DMARC passes. In this case I am betting the "Return-Path" is not in the Trusted senders list. 

This was recently implemented and we have some more details on how this works here ( https://portal.smartertools.com/kb/a3501/dmarc-in-simple-terms.aspx ). 

A good place to review this is the SMTP logs on the server. Using the Message ID you can trace this backwards. 

Search the Delivery Logs for "0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000"

This will provide a session ID number. You can then search the SMTP log for this number with "Display Related Traffic" enabled to get the full SMTP session. 

Please let me know if you have any questions.

Thank you 

~Tony

I did as you said and pulled the Delivery Logs for that and pasted them below. It delivers to two addresses in my domain. Looking through the logs, there is no return-path or from address that specifies the original sender. Only the amazonses address is listed. The original sender is included in the headers for the message. This seems bad. Trusted users and domains shouldn't have to have DMARC set up correctly to bypass junk filters. It would be one thing if it failed but in this case it isn't setup.

[2023.12.11] 08:11:00.335 [31506875] Delivery started for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com at 8:11:00 AM
[2023.12.11] 08:11:03.335 [31506875] Added to SpamCheckQueue (0 queued; 1/25 processing)
[2023.12.11] 08:11:03.335 [31506875] [SpamCheckQueue] Begin Processing.
[2023.12.11] 08:11:03.335 [31506875] Blocked Sender Checks started.
[2023.12.11] 08:11:03.335 [31506875] Blocked Sender Checks completed.
[2023.12.11] 08:11:03.382 [31506875] Spam Checks started.
[2023.12.11] 08:11:03.491 [31506875] Finished running spam checks. Time (non-rbls): 116ms, Time (URIBL/RBLS): 0ms
[2023.12.11] 08:11:03.491 [31506875] Spam Check results: [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,Pass], [CBL - ABUSE SEAT: 0], [HOSTKARMA - BLACKLIST, HOSTKARMA - BROWNLIST: 0], [SORBS - ABUSE, SORBS - DYNAMIC IP, SORBS - PROXY, SORBS - SOCKS: 0], [SORBS - SMTP: 0], [PROTECTED SKY: REJECT, PROTECTED SKY results 0], [SPAMRATS: 0], [TRUNCATE: 0], [UCEPROTECT LEVEL 2: 0], [SORBS  - SPAM: 15], [BARRACUDA - BRBL: 0], [UCEPROTECT LEVEL 1: 0], [PSBL: 0], [UCEPROTECT LEVEL 3: 0], [VIRUS RBL - MSRBL: 0], [SPAMCOP: 30], [SPAMHAUS - CBL, SPAMHAUS - CSS, SPAMHAUS - PBL, SPAMHAUS - PBL2, SPAMHAUS - SBL, SPAMHAUS - XBL, SPAMHAUS - XBL2: 0], [_DMARC: 0,none], [_INTERNALSPAMASSASSIN: 0.2:0], [_DKIM: -5,Pass], [URIBL - BLACK, URIBL - GREY, URIBL - MULTI, URIBL - RED: 0], [SURBL - SPAMASSASSIN: 0], [SURBL - ABUSE BUSTER, SURBL - JWSPAMSPY, SURBL - MALWARE, SURBL - SPAMCOP: 0]
[2023.12.11] 08:11:03.491 [31506875] Spam Checks completed.
[2023.12.11] 08:11:03.788 [31506875] Removed from SpamCheckQueue (0 queued or processing)
[2023.12.11] 08:11:06.335 [31506875] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2023.12.11] 08:11:06.335 [31506875] [LocalDeliveryQueue] Begin Processing.
[2023.12.11] 08:11:06.335 [31506875] Starting local delivery to wife@myaccount
[2023.12.11] 08:11:06.897 [31506875] Process delivery status notification step from local recipient success. Recipient: [wife@myaccount], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2023.12.11] 08:11:06.897 [31506875] Delivery for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com to wife@myaccount has completed (Delivered) Filter: Spam (Weight: 40), Action (Global Level): PrefixSubject
[2023.12.11] 08:11:06.897 [31506875] End delivery to wife@myaccount (MessageID: <0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@email.amazonses.com>)
[2023.12.11] 08:11:06.897 [31506875] Starting local delivery to me@myaccount
[2023.12.11] 08:11:06.913 [31506875] Process delivery status notification step from local recipient success. Recipient: [me@myaccount], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2023.12.11] 08:11:06.913 [31506875] Delivery for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com to me@myaccount has completed (Delivered to Junk Email) Filter: Spam (Weight: 40), Action (User Level): MoveToFolder
[2023.12.11] 08:11:06.913 [31506875] End delivery to me@myaccount (MessageID: <0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@email.amazonses.com>)
[2023.12.11] 08:11:06.913 [31506875] Removed from LocalDeliveryQueue (0 queued or processing)
[2023.12.11] 08:11:09.335 [31506875] Removing Spool message: Killed: False, Failed: False, Finished: True
[2023.12.11] 08:11:09.335 [31506875] Delivery finished for 0100018c5934db86-d9b911c1-433c-4aa2-8448-345f6bb06674-000000@amazonses.com at 8:11:09 AM    [id:31506875]

I just did an MX Lookup on mxtoolbox.com for the sending domain and they do have a DMARC record specified with DMARC Quarantine/Reject policy enabled.

Hello, Now you want to take the delivery session Id (31506875) and search the SMTP logs. This will show the information we are looking for. Thank you

Tried that but got, No Results. Expanded the search dates but that didn't help. Looking at the SMTP log, it only has Connected and Disconnected entries like:

[2023.12.11] 17:55:19.185 [80.94.95.181][37208738] connected at 12/11/2023 5:55:19 PM
[2023.12.11] 17:55:19.716 [141.98.11.68][16332644] disconnected at 12/11/2023 5:55:19 PM

David, 

This is indicating that the SMTP log level is most likely set to Normal, you will want to adjust this log level to be detailed to get the information we are looking for. Once you change this any new connections will show we are looking for. 

This log by default is set to Detailed so at one point one of the admins changed this to be normal. For Troubleshooting purposes I would make sure that the below logs are always set to detailed. 

Administrative

Error

SMTP 

Delivery

Spam Checks

Thank you

~Tony